000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847

Analysis

max time kernel
151s
max time network
163s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Size

1.3MB
MD5

4878339563a804b6f94fcc5a363b7535
SHA1

723fb3b6bf650681301632e689e5254f05a003ed
SHA256

000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847
SHA512

170e1553f7d89c27544e13f08e0b140592c4763341b211f5c23ef4c403eaac719288f2bd1af7e4af6235c594a2289262c568e1ec2401acf3a53ab436dd9eaf3e
SSDEEP

12288:rUvCbw6UBL8252uui8FbECP7BhdfswdJ0NXdU8ZWH7DEP1rCJ7U3T:rUvD6t2rR8FfBhRJUEbDk1ulUj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
464	Process not Found
2548	alg.exe
2524	aspnet_state.exe
2544	mscorsvw.exe
924	mscorsvw.exe
1572	mscorsvw.exe
2804	mscorsvw.exe
1588	ehRecvr.exe
1208	ehsched.exe
1032	elevation_service.exe
1140	IEEtwCollector.exe
1628	mscorsvw.exe
1892	mscorsvw.exe
2188	mscorsvw.exe
2980	mscorsvw.exe
2320	mscorsvw.exe
2392	GROOVE.EXE
2424	mscorsvw.exe
2716	mscorsvw.exe
1524	mscorsvw.exe
2372	mscorsvw.exe
3036	maintenanceservice.exe
2648	mscorsvw.exe
2608	msdtc.exe
2544	msiexec.exe
2060	OSE.EXE
1516	OSPPSVC.EXE
1732	perfhost.exe
1660	locator.exe
1316	snmptrap.exe
2236	mscorsvw.exe
2532	vds.exe
2572	vssvc.exe
1084	wbengine.exe
2656	WmiApSrv.exe
2168	wmpnetwk.exe
2000	SearchIndexer.exe
1076	mscorsvw.exe
2516	mscorsvw.exe
1984	mscorsvw.exe

Loads dropped DLL 14 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2544	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
744	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b343fe775465f8f4.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\System32\msdtc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\msiexec.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\wbengine.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\dllhost.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\System32\vds.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\vssvc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B262F552-36A4-4AFD-A8FD-D1AE5D349D55}\chrome_installer.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5A60B5C9-2A55-4243-A33A-3ABAB10F9AC5}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{5A60B5C9-2A55-4243-A33A-3ABAB10F9AC5}	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2840	ehRec.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: 33	1756	EhTray.exe
Token: SeIncBasePriorityPrivilege	1756	EhTray.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeDebugPrivilege	2840	ehRec.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: 33	1756	EhTray.exe
Token: SeIncBasePriorityPrivilege	1756	EhTray.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeShutdownPrivilege	2804	mscorsvw.exe
Token: SeRestorePrivilege	2544	msiexec.exe
Token: SeTakeOwnershipPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	2572	vssvc.exe
Token: SeRestorePrivilege	2572	vssvc.exe
Token: SeAuditPrivilege	2572	vssvc.exe
Token: SeBackupPrivilege	1084	wbengine.exe
Token: SeRestorePrivilege	1084	wbengine.exe
Token: SeSecurityPrivilege	1084	wbengine.exe
Token: SeManageVolumePrivilege	2000	SearchIndexer.exe
Token: 33	2000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2000	SearchIndexer.exe
Token: SeDebugPrivilege	1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	1712	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: 33	2168	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2168	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1756	EhTray.exe
1756	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1756	EhTray.exe
1756	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1628	1572	mscorsvw.exe	40
PID 1572 wrote to memory of 1628	1572	mscorsvw.exe	40
PID 1572 wrote to memory of 1628	1572	mscorsvw.exe	40
PID 1572 wrote to memory of 1628	1572	mscorsvw.exe	40
PID 1572 wrote to memory of 1892	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 1892	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 1892	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 1892	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 2188	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2188	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2188	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2188	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2980	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 2980	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 2980	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 2980	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 2320	1572	mscorsvw.exe	44
PID 1572 wrote to memory of 2320	1572	mscorsvw.exe	44
PID 1572 wrote to memory of 2320	1572	mscorsvw.exe	44
PID 1572 wrote to memory of 2320	1572	mscorsvw.exe	44
PID 1572 wrote to memory of 2424	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 2424	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 2424	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 2424	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 2716	1572	mscorsvw.exe	49
PID 1572 wrote to memory of 2716	1572	mscorsvw.exe	49
PID 1572 wrote to memory of 2716	1572	mscorsvw.exe	49
PID 1572 wrote to memory of 2716	1572	mscorsvw.exe	49
PID 1572 wrote to memory of 1524	1572	mscorsvw.exe	50
PID 1572 wrote to memory of 1524	1572	mscorsvw.exe	50
PID 1572 wrote to memory of 1524	1572	mscorsvw.exe	50
PID 1572 wrote to memory of 1524	1572	mscorsvw.exe	50
PID 1572 wrote to memory of 2372	1572	mscorsvw.exe	51
PID 1572 wrote to memory of 2372	1572	mscorsvw.exe	51
PID 1572 wrote to memory of 2372	1572	mscorsvw.exe	51
PID 1572 wrote to memory of 2372	1572	mscorsvw.exe	51
PID 1572 wrote to memory of 2648	1572	mscorsvw.exe	53
PID 1572 wrote to memory of 2648	1572	mscorsvw.exe	53
PID 1572 wrote to memory of 2648	1572	mscorsvw.exe	53
PID 1572 wrote to memory of 2648	1572	mscorsvw.exe	53
PID 1572 wrote to memory of 2236	1572	mscorsvw.exe	61
PID 1572 wrote to memory of 2236	1572	mscorsvw.exe	61
PID 1572 wrote to memory of 2236	1572	mscorsvw.exe	61
PID 1572 wrote to memory of 2236	1572	mscorsvw.exe	61
PID 1572 wrote to memory of 1076	1572	mscorsvw.exe	68
PID 1572 wrote to memory of 1076	1572	mscorsvw.exe	68
PID 1572 wrote to memory of 1076	1572	mscorsvw.exe	68
PID 1572 wrote to memory of 1076	1572	mscorsvw.exe	68
PID 2000 wrote to memory of 2460	2000	SearchIndexer.exe	69
PID 2000 wrote to memory of 2460	2000	SearchIndexer.exe	69
PID 2000 wrote to memory of 2460	2000	SearchIndexer.exe	69
PID 1572 wrote to memory of 2516	1572	mscorsvw.exe	70
PID 1572 wrote to memory of 2516	1572	mscorsvw.exe	70
PID 1572 wrote to memory of 2516	1572	mscorsvw.exe	70
PID 1572 wrote to memory of 2516	1572	mscorsvw.exe	70
PID 2000 wrote to memory of 2124	2000	SearchIndexer.exe	71
PID 2000 wrote to memory of 2124	2000	SearchIndexer.exe	71
PID 2000 wrote to memory of 2124	2000	SearchIndexer.exe	71
PID 1572 wrote to memory of 1984	1572	mscorsvw.exe	73
PID 1572 wrote to memory of 1984	1572	mscorsvw.exe	73
PID 1572 wrote to memory of 1984	1572	mscorsvw.exe	73
PID 1572 wrote to memory of 1984	1572	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
"C:\Users\Admin\AppData\Local\Temp\000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2544

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f0 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ac -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 1ac -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 298 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 248 -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1588

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1140

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
PID:2392

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2060

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2460
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2124

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
816aa6040044984ecd50ea9c3bf09bed

SHA1
c255d432ef7991bc519752d8517bf238d30fa4a8

SHA256
06d9d69382d31f690cb2160864aea8b6f6679f8edf1213574e26dcff423c1c98

SHA512
f7957768a6750e0363cb7a21aeb21f437ecd372938d6e864b86aa4b66024de37582bccebc2b896c038dac5e0c5332c7a474f986ce2ffce4b130257ac1af2acd0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
7.1MB

MD5
9c4d4bc51a8f71bd4e86f9040bb1be17

SHA1
613f271b48865c12cc37e7155ea2fe97032f0c22

SHA256
d5d705aef3933aabf30277627cae6a9db36c45901099cc3aba479f20096b1c82

SHA512
aedd61c9716a2c18cf86066901b1f0fc67c9566e120c5719a82f1fe1d64086da47da9d6e75de31f734f3642c49689bec1fdeaac37091a6a77b4251e697968e1c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
7e4c2885eacee50368094f32370f2e9b

SHA1
510f11b6a81306b8f533d81d65f45da21aea9709

SHA256
3df0338b0c64c5235efbff87a1e12e5644b266d4ed0040f44f187aa80ceb7dcb

SHA512
822c9299a814489229de7f8a51c382ccab19420c0c7e7d0df919f425aa3ee2af56ce3114b3c62d57fbbee562f1b94ceb1174691fcf410aa75e38b59ae1e1bdb2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.6MB

MD5
86871e526e1a1d5c3908b2286f8fa2f3

SHA1
c06234d89e77b92933817221b7b81ffb940a53e8

SHA256
b1b38c43b4f64712953457a959a1bec15adac71185df8d77f8e95684f96c626b

SHA512
6a990734f0ec908ba65dc7f56da8c510ac4be4b1c705a0ec0a72b93efdeb6dbab1941f3f507f68e4c27a56d9afdcf748b7bc294c1ed8d7d9b6ee5dba5bc080af

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
047004bf5418a57fa095b01895844d74

SHA1
f342e5aad43fb02055b21e17e71e550cbb4dcd5c

SHA256
9e8e3839b0ec904ab3c0011da06b3a5c51e9b49287358dff8b14a712bf8208f4

SHA512
37e60ecef61f1858b8ca2ca1f1c4e2279226ae950285857ba9431d1733be35c4019bfb650d228b6c34d12596f321422286a10d7cc3ae7a90e93ecfe88145c9a2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3228c9f08f17cd1b7f4b3df37c3f6749

SHA1
9f505cae3f790029b8313d1d569a1e8eac1ba082

SHA256
47eaf0924719397423e564ea9a19df6e10680f5f6dacf6f07f8da470f0c57611

SHA512
1307e5f1a5428e2efe0fe79ccb96e21a2a50a7e1016dba66ba9a070310bc541bb0b23c92f964bda904b5afe9be6433589d7b75426695fee9ed956455847bd40f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c6c09716cabf2a8492f03b877b2d2a07

SHA1
cb6e3ddb0ff946d8fa0345fa5381ead2b3eccadb

SHA256
80d1e6033351021783f6284a4abb80913d1e82c09d19ede91e9ae4f367dce84e

SHA512
a6f2c0c70820957de373e6546ceca809c8997cff233434b28cfaf80352a81628b7f6c6ea18f7dc5c0729b071507bcf92d6843a54c0d29c609a28525152d825fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
6aed451fc3541106f2c5227abad09d68

SHA1
d12491f219f7d43fd1dc27ac639364af2a8890d3

SHA256
178154a1253deba4054992326a2d85724877e922234eae956b29a820f34120eb

SHA512
50e615190c4f455e0fbf6ecf31e35af6eb85a8da50175ee81b32e92a514ba7c5738b776ff8b0e220bc2959b87f89e202290f83774246e9bf44a535f8df954b9c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
dd8a1377b403e32325d62596f09e444c

SHA1
0d665e69f0f6a0f3ae881f2b613ccf20cba395a3

SHA256
b35d4c8d9e0141e7ca486a0f99ea161dec098f701e1c7e7315c984035db79099

SHA512
a47e8d5c3ffda0140e73d441b0cb1df7f4a67f5576640854bb206cabd21de89ebacba294737370cd1117c6be2195012c90de026bc912ea934c08a65b7dfccbfb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
2ce96ebfab3978ead34c9a603e8c3d96

SHA1
2b5f3cfb3f30348f991c1acd3e46b99ce9b6d87a

SHA256
ddb7a7d6ce60f66592d72b0847aafe6b2894c03bb704ab10ea2184bb0e6a81ad

SHA512
dd80f3e345035f4b8f93c6bbd5b3076f68e6c62b60a8e58c43d6ea230899ebc5ce8634cd5f4f0a0f8a0dfff61abac5ddf4bfcecce84860d57dde40813aac2f9c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
e414051ec5999ba1a78a56c0a868ed91

SHA1
9787e56b8a18abe65b4320ecf562984028398abd

SHA256
a1477a7ec7fc12405033d871874bf077401c2d56205151e9b3594bb4c2eaca60

SHA512
27423c14156922e0fd71884ca83984ddd4fa9fa1f5640d3d907a1bff2820b4280a75c1f70f12e60d0d071e3185bb9b9607c1d93c7ea9826e9fbab5e8130f1efe

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
2f0c6e26276541266c3770ded03e957c

SHA1
7250e13e82b0fb278336d91436dc6c8525989d35

SHA256
1fda03d94a6df55ca37001cecda156b4c34c71d0772500278e6f559b8c9682e7

SHA512
5400cc7227dbace67894c502cc5c0e0c4ef81129ccdf672a9bd34747fb569ea5cffc4b92e7c7f59bec9f888d1cf7f350ffab7636407c29708d62bf3ca4b1e9aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
d8d960f2043544579c7b78b6a0c2adf0

SHA1
92e009613953e9987defad00d53cfe49327a5452

SHA256
91a1c9df07077544141c87b3cfee12787edacc8151751db1226b9fbf9ccd9cc8

SHA512
43390e72074d1fa7d4f71097a332cf527c99e3150fece5fdeb298ca59187c5dcccdd5c7d6fe51e8d418ebbbbc598d1cdf3f6cc7d3900154ccccdd0a24ecdc0b0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
ccb1d7203cdfe9b3b64b15cb2313c771

SHA1
050ef0888b8ccde12bb5da95fdb4d8b3241a0b6b

SHA256
49466872e645517fe79e552cf902df21f535e3fc6047c966f92b645f94dca660

SHA512
33720267939596310ff8d519d6608a4e08d0ce46ae92b82d2fb8e34314b1fffb8786cd1600769243adc7355479f3304a3813f3daab78dab225ebde251ebb199e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
d91e340907aabcf88a029791785ad5fd

SHA1
3c51a98d05a4ef8397447c6ee1ba3dd4dbf78ee9

SHA256
f766b0f90d20d25cd46eff3ba5e458f0d6af98aef51d4f7a10651b3cbfd7c502

SHA512
b2e859b6075065e8c02011c47b00a20bd8bd7d3be0a134bd719bdc51905c48eff807a058e5d7c58b9213d842daabfc2ddfa2a0dafcf99b22f56eae0db02ced92

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
41fb02dfbd7af3fc53561ae9fa352aba

SHA1
5010ba98f1ef7aad32fb155cc8f4b3886a1e8d19

SHA256
f01bf12360f6de57b46723b09176704aa9200f3fe39045db28299874b1f8ef4e

SHA512
25690dd71717092dac3cd3ee1a739d3899acbe3a917cc6a3c994569231c7795c3a48ad99729103e1b7de3da2e3f435cea6290b0187f873b3b8bb3d4c6661bc33

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1024KB

MD5
4ad641ef62665565619f9b4bf9007c14

SHA1
54f723082605b5bc2065a5cd28983594018fb21d

SHA256
990df27c54079a5a538765640702f979ba585ecf7b439a8f282004467b59da89

SHA512
6109349cac721fec735713f6ac6e0358a42030191b829263ac9c3ba20b71525451603ed1674241cbda85b46b20eca239ec09df110f87fbba451dce538be0ae67

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
01dd3f900675bdfce348eb3c103e2dde

SHA1
28d33dbd7a21f562b1828c9a3ef9325f114713f2

SHA256
51098aeeaace19176f3069322bdf30a7d410566c775f4af938f64e693294d576

SHA512
cab1759aff43cc81b63da05672b6074cdb9b02ab588c3d3f158b1a79a0af9bfd308cf23be3dd564381ca6336c8caff59fa5622f5f6e5c44384e43c72fc1cff41

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
c8343d3d3d6da171772de6ebeebec363

SHA1
9270adf245cddab3bef2b0824cbaf87cb17ec2c7

SHA256
bd8b091998d1176db806678b6672f8e13bd611e1aea83444c1dc1e9123db7231

SHA512
d51e6432e31aee824c49cbf4bcc477b6f017c5f06bc6b8f31a04febc6bae58d8d0b00e057ad9813b1f6a4f84923edb4cb682e73c0dd6f0c2e9021aaf6d4e11aa

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
832KB

MD5
cd84be82c6ff335c61343f348b23dd59

SHA1
2a795e556e216f555617db30459987b553da3fd0

SHA256
1564a79674556b8146e6d6bb05bc20624d199dfdbc5d6ca42b968aea2d0ceff8

SHA512
9e1178f097757c52d9ef10a5fdff81752a1cb892f7f5f1220f66b079ad34d33af2a51431a90a492831b2268f3390788c6230ab86ed08065f1aa028ff7e96d872

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
815c5ec1e2d26f5e8a9e0a290b0e0ab1

SHA1
ef21625e72c9d1bac2c85cb109859301539576a3

SHA256
d21a8a8ef898c70a738ac7b7efff77f3f85bc5107e8c1fa776d08111981b2fde

SHA512
d8b376fddcbec3d06f6db49c970067fc0edb75f2497e548db74bdb9b6b69f65dd7e8f273c6823c185e5e826719253c6ae3a290916a63ddfd2215a2478a61064b

Download Submit
C:\Windows\System32\vds.exe

Filesize
384KB

MD5
1389de39679ed8233fe3819241bcc966

SHA1
88041fec227371c51272bfc23c86a2763f5001a8

SHA256
e8370f14d4a75e5cc5c4f7bc9629b3d912a1977f0cc8aabb87c0bca93d524fd2

SHA512
4bab7783115c5d2821bba3c13e6ab7206f320bfff23495e79f58037241f276a805a9f7d4c933dd637866a82663455cdfed8d3583f47bf3bb44d2e21f66861f0a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
256KB

MD5
ce72366f49cf68f43ce08e4d27cb8931

SHA1
5fb81c5ff634bdbca1f5a183167ce7e5075157df

SHA256
dd09d0917daeec7a46965c8434607bfefecf0716fe4e3b9c5160a570876d5b08

SHA512
cc27f479c7e28fcecb3cc31e3f1e033285659225732f7b4708bb7eb936931118d25a5229894050b4ea1c8527a065290e5bab4aff1eff523672f3fda9b0f74b7e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
896KB

MD5
fd6cb857db52eceb30b8a74221b300f1

SHA1
7d0135d16cd441e0434fc914be224bcf1f6a2509

SHA256
948121f67bceea7bd0589b1ed78cb38811024ea291cd42ffdfb54f5f24228eb1

SHA512
1b0bcedf928082c7959fd6b00d8ba99212aa86a9efc4e6a2fe1270c3564e73f51d3dc2fd2ede490c690fb4028ff5996f9f54ce6c9703fdd51ba3abfdef160ac3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
b25eb33b7f6afeaff82f342c2f050393

SHA1
1c141b28c234cdf3bfb38381c2c8712c776dae4e

SHA256
bb3caab95b489562d65a110504bcaf71940ac9271ffd62b2f74edbcd17296814

SHA512
dcd7d392f785a347ebf2c0483e93163d2d7410d9d10d5e93fa5179324a12e62b0b3a37698c843433d3cc548d2586f2e6fba547b971dcac1f77959a9a6896b8e6

Download Submit
\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
dd308a82bac966c42f06b795799743e2

SHA1
c24a0b986f7e324137e9901bd6c9403ea50cff80

SHA256
84096d3baa2a501ca421cb5d474568e813f7c1b4996a6c2723a9a38c1bb56242

SHA512
cfde267e92616d59e5ab5e88415090309ce5de567c632c744ed5987c6cd049c3c753bcf289fcc3dc462621469ca35fdb42cc8169acee3cf5d513b197bea27869

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c340210e88eaa2bbb88d21c9dcafa502

SHA1
52c52a321a56d4e44f511a4a376ac00c4277d6c0

SHA256
38edce2805e88b9a5c37b71363760b3a7f95b2f3404fcf8d185914afebf10052

SHA512
35531aacef55d868361c42d31650bdcb5ddccc5d7c8f236e076eb409708f9c8fd4d6bfcf9a6e3335c4fbabfd412900f96b2529bbf9885e2ce806d87f70d122b5

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
f387eaa2603b44628f78f86c53e02afa

SHA1
9a20a14a4c574666f57be4f088a48704a5fce87a

SHA256
2954dadc3007129d541a6a62731de631ab250e78a6c45439081798b1aeb3d01a

SHA512
294422b3c75295c08692b85c7cf9b9e2b99b2a46480d14ee753f9911aa7f922313f8f7c9ad15a410be649adbe9cf5d2136c12a025a6b3c02ffd3fe5f080b938b

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
595cc5e455b9e817b3a9ae3d9cd7ba6c

SHA1
cb50d98975c6c5de3946b82c2ff57beb3ddbf405

SHA256
07e9195453a87b71b4e49c6676f07adce0614cce088f475d10bb62ebe62f9385

SHA512
d1368abbfcb8512a212b97d37603251664b4eca802fc8a0c4540c6d44d00cd720cd705409ba2677683bc72d4d2ef5a4a909c2dce51c245ee55283107fc3c3d4b

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.2MB

MD5
6071d1b80903903ca8ec74cde42ee293

SHA1
46f27e94be8e05c3a9a63da290d9d29f7948c69f

SHA256
6d9bb72fcabb2733d0b1d01e1e35b8310ed263e7d31767a321055ba79e9f5ca1

SHA512
4c8a43a95b81e5b14d36af8d58b3fb614278fb3ebf3974c7d75b3f9fb110766dcb243ecd55c93ef1a1ca53fcda22c4a01d4ccbb2ebac2eea088e78c8bab798aa

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
76fd58210207953d091c5fb10bb2e49f

SHA1
c58a2310eb0a0c4e85ab62d6e36335d47ee29132

SHA256
717e1851acfa447149bc2784cae9dd9742a4e5abb79536ad7cfb6da46a106ae7

SHA512
9f5691799a8c435748510cd6f6add08339c4201fa35bfd7f38f12f41bc657bccd8ecc09ba0a56e3ffc453314ae0c06a8fcdce3d99acd6d91fbd40334fe42f086

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
bd017f26ad83f62fbe6aa86b422272f7

SHA1
d7f5564e5f850b57c3333911bfc789512785c6c4

SHA256
0e9365386f46a349380b830500c0610033c5504706930d7c458ba461642c1b3e

SHA512
656623b5616d1e4a6a453440ab2082042ff56fff35ed9cdde0690b7ba06664b2c32bc3c348f1dae1fa050a394af703d6e682eac2f7533fb71cdb597115afe0dc

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
74da47feb3f5127375e2b3a88d135f7d

SHA1
3d55ab39b67f1db78b28c46321babb2d5809c360

SHA256
f5eadac4914248da1096cd6648f7e4da11241458bba01fb3186bfae394845806

SHA512
f99250373090f369bd2faaf231bc3e5afa2ac2bb398ef08a24ca7e561ec23c117f4acec0e75f0bd7993346561640fbdfbdc6e2eb154fb70a35c44e0aa0220ced

Download Submit
memory/924-106-0x0000000010000000-0x0000000010133000-memory.dmp

Filesize
1.2MB

Download
memory/924-47-0x0000000010000000-0x0000000010133000-memory.dmp

Filesize
1.2MB

Download
memory/1032-136-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1032-126-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1032-188-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1032-127-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1140-243-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1140-141-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1208-112-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1208-110-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1208-117-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1208-118-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1208-164-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1572-61-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1572-135-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1572-54-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1572-55-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1588-125-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1588-94-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1588-160-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1588-175-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1588-102-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1588-121-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1588-95-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1588-122-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1628-155-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1628-163-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1628-177-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1628-179-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1628-162-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/1712-0-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/1712-8-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/1712-1-0x0000000140000000-0x0000000140214000-memory.dmp

Filesize
2.1MB

Download
memory/1712-72-0x0000000140000000-0x0000000140214000-memory.dmp

Filesize
2.1MB

Download
memory/1712-7-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/1892-204-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1892-205-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1892-178-0x0000000000BB0000-0x0000000000C16000-memory.dmp

Filesize
408KB

Download
memory/1892-189-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-218-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-203-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-200-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/2188-217-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2320-270-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2320-242-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2320-229-0x0000000000540000-0x00000000005A6000-memory.dmp

Filesize
408KB

Download
memory/2392-253-0x0000000000640000-0x00000000006A6000-memory.dmp

Filesize
408KB

Download
memory/2392-247-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2424-266-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-264-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2524-109-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/2524-28-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/2544-31-0x0000000010000000-0x000000001012B000-memory.dmp

Filesize
1.2MB

Download
memory/2544-32-0x0000000000A00000-0x0000000000A66000-memory.dmp

Filesize
408KB

Download
memory/2544-37-0x0000000000A00000-0x0000000000A66000-memory.dmp

Filesize
408KB

Download
memory/2544-84-0x0000000010000000-0x000000001012B000-memory.dmp

Filesize
1.2MB

Download
memory/2544-38-0x0000000000A00000-0x0000000000A66000-memory.dmp

Filesize
408KB

Download
memory/2548-22-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2548-93-0x0000000100000000-0x0000000100130000-memory.dmp

Filesize
1.2MB

Download
memory/2548-21-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2548-14-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2548-15-0x0000000100000000-0x0000000100130000-memory.dmp

Filesize
1.2MB

Download
memory/2804-146-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/2804-80-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2804-71-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2804-74-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/2804-79-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2840-144-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-221-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-199-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2840-198-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-165-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2840-147-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2840-143-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2840-142-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-238-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-237-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2980-219-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-213-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download