643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8

Analysis

max time kernel
94s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
Size

1.2MB
MD5

e1fbdc1b2a6485d545e65a34dc19b8b8
SHA1

4ba8dd06322c7f2a48f63fc3b86099e757090ccc
SHA256

643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8
SHA512

af3fb839a4c6d7de85af1e6c7956d7f5a8b22f6b4659bd844dd0a620bf3d307e88b51e855c3d947ce42c02086cd9911373978636960c2a20fe52d9e4175e7454
SSDEEP

12288:MdL4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:yL4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 54 IoCs

pid	Process
476	Process not Found
3024	alg.exe
2712	aspnet_state.exe
2508	mscorsvw.exe
2472	mscorsvw.exe
2044	mscorsvw.exe
936	mscorsvw.exe
1692	ehRecvr.exe
2112	ehsched.exe
968	elevation_service.exe
2000	IEEtwCollector.exe
1920	GROOVE.EXE
1660	maintenanceservice.exe
2972	mscorsvw.exe
884	msdtc.exe
3008	msiexec.exe
2540	OSE.EXE
2168	OSPPSVC.EXE
2536	dllhost.exe
932	mscorsvw.exe
1816	mscorsvw.exe
2180	mscorsvw.exe
1620	mscorsvw.exe
2628	mscorsvw.exe
2896	mscorsvw.exe
1028	mscorsvw.exe
2760	mscorsvw.exe
2276	mscorsvw.exe
2000	mscorsvw.exe
2304	mscorsvw.exe
1700	mscorsvw.exe
2956	mscorsvw.exe
1972	mscorsvw.exe
2752	mscorsvw.exe
2436	mscorsvw.exe
2896	mscorsvw.exe
2088	mscorsvw.exe
320	mscorsvw.exe
1880	mscorsvw.exe
1144	mscorsvw.exe
2172	mscorsvw.exe
2648	mscorsvw.exe
2164	mscorsvw.exe
1696	mscorsvw.exe
1656	mscorsvw.exe
2032	perfhost.exe
2020	locator.exe
2560	snmptrap.exe
1456	vds.exe
1660	vssvc.exe
2720	wbengine.exe
2844	WmiApSrv.exe
2288	wmpnetwk.exe
2680	SearchIndexer.exe

Loads dropped DLL 15 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
3008	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
740	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\650c85e256fe8faa.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FDD97062-5EC7-4C05-89F0-5B59218BDAB9}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FDD97062-5EC7-4C05-89F0-5B59218BDAB9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{FFCAA31D-3509-4014-87C9-E620C57E323E}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{FFCAA31D-3509-4014-87C9-E620C57E323E}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1280	ehRec.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2884	643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: 33	284	EhTray.exe
Token: SeIncBasePriorityPrivilege	284	EhTray.exe
Token: SeDebugPrivilege	1280	ehRec.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeSecurityPrivilege	3008	msiexec.exe
Token: 33	284	EhTray.exe
Token: SeIncBasePriorityPrivilege	284	EhTray.exe
Token: SeDebugPrivilege	3024	alg.exe
Token: SeShutdownPrivilege	936	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2712	aspnet_state.exe
Token: SeBackupPrivilege	1660	vssvc.exe
Token: SeRestorePrivilege	1660	vssvc.exe
Token: SeAuditPrivilege	1660	vssvc.exe
Token: SeBackupPrivilege	2720	wbengine.exe
Token: SeRestorePrivilege	2720	wbengine.exe
Token: SeSecurityPrivilege	2720	wbengine.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeDebugPrivilege	2712	aspnet_state.exe
Token: SeManageVolumePrivilege	2680	SearchIndexer.exe
Token: 33	2680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2680	SearchIndexer.exe
Token: 33	2288	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2288	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
284	EhTray.exe
284	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
284	EhTray.exe
284	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2972	936	mscorsvw.exe	42
PID 936 wrote to memory of 2972	936	mscorsvw.exe	42
PID 936 wrote to memory of 2972	936	mscorsvw.exe	42
PID 936 wrote to memory of 932	936	mscorsvw.exe	48
PID 936 wrote to memory of 932	936	mscorsvw.exe	48
PID 936 wrote to memory of 932	936	mscorsvw.exe	48
PID 936 wrote to memory of 1816	936	mscorsvw.exe	49
PID 936 wrote to memory of 1816	936	mscorsvw.exe	49
PID 936 wrote to memory of 1816	936	mscorsvw.exe	49
PID 2044 wrote to memory of 2180	2044	mscorsvw.exe	50
PID 2044 wrote to memory of 2180	2044	mscorsvw.exe	50
PID 2044 wrote to memory of 2180	2044	mscorsvw.exe	50
PID 2044 wrote to memory of 2180	2044	mscorsvw.exe	50
PID 2044 wrote to memory of 1620	2044	mscorsvw.exe	51
PID 2044 wrote to memory of 1620	2044	mscorsvw.exe	51
PID 2044 wrote to memory of 1620	2044	mscorsvw.exe	51
PID 2044 wrote to memory of 1620	2044	mscorsvw.exe	51
PID 2044 wrote to memory of 2628	2044	mscorsvw.exe	52
PID 2044 wrote to memory of 2628	2044	mscorsvw.exe	52
PID 2044 wrote to memory of 2628	2044	mscorsvw.exe	52
PID 2044 wrote to memory of 2628	2044	mscorsvw.exe	52
PID 2044 wrote to memory of 2896	2044	mscorsvw.exe	53
PID 2044 wrote to memory of 2896	2044	mscorsvw.exe	53
PID 2044 wrote to memory of 2896	2044	mscorsvw.exe	53
PID 2044 wrote to memory of 2896	2044	mscorsvw.exe	53
PID 2044 wrote to memory of 1028	2044	mscorsvw.exe	54
PID 2044 wrote to memory of 1028	2044	mscorsvw.exe	54
PID 2044 wrote to memory of 1028	2044	mscorsvw.exe	54
PID 2044 wrote to memory of 1028	2044	mscorsvw.exe	54
PID 2044 wrote to memory of 2760	2044	mscorsvw.exe	55
PID 2044 wrote to memory of 2760	2044	mscorsvw.exe	55
PID 2044 wrote to memory of 2760	2044	mscorsvw.exe	55
PID 2044 wrote to memory of 2760	2044	mscorsvw.exe	55
PID 2044 wrote to memory of 2276	2044	mscorsvw.exe	56
PID 2044 wrote to memory of 2276	2044	mscorsvw.exe	56
PID 2044 wrote to memory of 2276	2044	mscorsvw.exe	56
PID 2044 wrote to memory of 2276	2044	mscorsvw.exe	56
PID 2044 wrote to memory of 2000	2044	mscorsvw.exe	57
PID 2044 wrote to memory of 2000	2044	mscorsvw.exe	57
PID 2044 wrote to memory of 2000	2044	mscorsvw.exe	57
PID 2044 wrote to memory of 2000	2044	mscorsvw.exe	57
PID 2044 wrote to memory of 2304	2044	mscorsvw.exe	58
PID 2044 wrote to memory of 2304	2044	mscorsvw.exe	58
PID 2044 wrote to memory of 2304	2044	mscorsvw.exe	58
PID 2044 wrote to memory of 2304	2044	mscorsvw.exe	58
PID 2044 wrote to memory of 1700	2044	mscorsvw.exe	59
PID 2044 wrote to memory of 1700	2044	mscorsvw.exe	59
PID 2044 wrote to memory of 1700	2044	mscorsvw.exe	59
PID 2044 wrote to memory of 1700	2044	mscorsvw.exe	59
PID 2044 wrote to memory of 2956	2044	mscorsvw.exe	60
PID 2044 wrote to memory of 2956	2044	mscorsvw.exe	60
PID 2044 wrote to memory of 2956	2044	mscorsvw.exe	60
PID 2044 wrote to memory of 2956	2044	mscorsvw.exe	60
PID 2044 wrote to memory of 1972	2044	mscorsvw.exe	61
PID 2044 wrote to memory of 1972	2044	mscorsvw.exe	61
PID 2044 wrote to memory of 1972	2044	mscorsvw.exe	61
PID 2044 wrote to memory of 1972	2044	mscorsvw.exe	61
PID 2044 wrote to memory of 2752	2044	mscorsvw.exe	62
PID 2044 wrote to memory of 2752	2044	mscorsvw.exe	62
PID 2044 wrote to memory of 2752	2044	mscorsvw.exe	62
PID 2044 wrote to memory of 2752	2044	mscorsvw.exe	62
PID 2044 wrote to memory of 2436	2044	mscorsvw.exe	63
PID 2044 wrote to memory of 2436	2044	mscorsvw.exe	63
PID 2044 wrote to memory of 2436	2044	mscorsvw.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe
"C:\Users\Admin\AppData\Local\Temp\643e21c20bc78ecb8023fcf65903b664bb733fa1eab83917d487b71007e8d6e8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2508

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 244 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 23c -NGENProcess 1f0 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 244 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 1f0 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1f0 -NGENProcess 264 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 274 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 25c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 240 -NGENProcess 290 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 244 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 298 -NGENProcess 290 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 2a0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 284 -NGENProcess 2a0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 258 -NGENProcess 1a4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1692

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:968

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2000

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2540

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2168

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2536

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2680
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:2300
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1296
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
262KB

MD5
16382aaa699bbc84e79c709e08e3f6e0

SHA1
c4ae416c09ed4ec6d142e21c89d1a3d65fb71da2

SHA256
33d0f1eb700aca413f1917e1ff49f9cd86559ed9af50c505e2a6854590d4c0cf

SHA512
26a7f79f5ce096a95be6188219b1b717b8510c0510af90199884781b70f38de89e21926a82b365832d579243999e040422569cd9af9501e56e79130f877eaf12

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
3.3MB

MD5
f309aee6e0fbda763de9a91ad9bd04b4

SHA1
8e6c02d80dbe99f197b15676ed009b5757616dc1

SHA256
562d42b6b6df2e11506b488d7c7bdf40a6b34181cfb959e7d2ae14b78a10363c

SHA512
44dbea5f087936a9c9ab13b9353072d1c73de09fec458bc71a9e34db3142ad8771bc56a24086d472f270bd4814ecbf3480ef97440107ac488832e4b5b1ede3db

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a0d6e5313e3f381d2ebfb1caeabf889b

SHA1
7f5aa57a626d950596d7546f25910956eadd725f

SHA256
4f609b500397d20a24f01e593df10b38f4f762511b8469f13ad4c1ea3859ec3b

SHA512
e36002b0def39269522cef7aa21062de561929de82e9633ac758d4b629aa31b4ca27c8c51690b809ef485f474095f3997c8195e4c1cce742102dd922b7f86e50

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
564KB

MD5
23cfbcf7f9fc5f98975c8aff622f434d

SHA1
7ce4977e28ea2b27e534e9b0c904e3dd3f6275a8

SHA256
df91b0e01cd23ceafd31cf6e938342d95b05626d80fe5d863c7474e5feffa320

SHA512
3eb68ff57f5b7b2020214f884231128fcd85cbf3265006e308f5345379700a2f2dd5a0339d03ae1dd84628b3299be84dca66f779b11b61f730726c963ce7b93e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.4MB

MD5
bc06f3439c00f87e0de763247f4473e5

SHA1
29b6dba7d864df12b1d6e6965fe22a0039d362b1

SHA256
53f03c45e810ddc2ebebaed53112a86e6cc3da44e798583151a8bb0b6f8b30fe

SHA512
933b0dc3f73389c1b3b0e70d04417b68e403eca1efc414e88ab64202417ab8c3f4c7b9fe473fc172285aae436b4e0dfa1519883036f32f2be941db4a423d8aad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6670336fa32e91c4e181ccf8648def07

SHA1
cfc18af8c3a04612ed9e0e9c0a0879862b0deddf

SHA256
39d1a39254779bc8ffb11e0318f7d745bb55a35cef0a442e8757512b4e6ebc61

SHA512
afca85cd5c4af13e53b814fa593bf22493886e7ad5c74763d5f5828ccedc83f98138ea835ac81e7e73f0ee9a94b1b127f7ddb2e47b89115c77f173d6be494350

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
797286f6bd275073e20ba1d6dfc4ff1d

SHA1
1f889d4ed1188976f33ea15dd44f652dfe1225c0

SHA256
b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459

SHA512
6dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
6a81d82ae12bdf07ae890aef1d46f9b6

SHA1
226f4f5ae2842f10d6e5498be9b01da4c26552cb

SHA256
71c9eceb7c7672c33fb645b15330967127d6f756088abb63ea05b06f1326c6d9

SHA512
28c72d45339f3d32900f53a730ffa773728fdff40d6824d22436b7964f6011fa80b0ab6d048c6bd7c62e0b7abae8247d9892f485cecd9cc663470aa1044150eb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
832KB

MD5
df2e6b964388f72a6bdaab8266e96198

SHA1
652722ce30700541af2c4e19a5fa09566aad35f8

SHA256
3e0b9990cf2bfa8241aa0502dbf2a55136eb42d175bfb8e40c4b7ca6b3851559

SHA512
65699edf29fa008f9ec0571b7aaeccdeb885944d46408c9b3d414f2c14c5bdd5fc0e6fb7ad1326104c820d691753b38ccd484f9145e5935291b82b5cdf88fd1a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
896KB

MD5
ea483bf51d0df5bdf85928998cc43965

SHA1
f7a2ea4a7ebac74952337556f5dee7614ac4c522

SHA256
2301da2e511f66f76fc9240adec4c5ae9496c6cadf2b5f51671ac15cef591848

SHA512
b663c22f4ace6b9fcdd85e4ce0b9544210425348871a9dd1e71d6eea86f092ff3876f8946ed36c07c614b0f7061a948c53dcd99c8915dee7d6f1b8237b40fb3e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
664KB

MD5
f743d12fccfe7b11d6ab8c52a7f166f7

SHA1
e98b02976852689804d6cb4f5948761cf3792adc

SHA256
2e6f981809f206b5178b444199b44ebb0fe5e4091a72b5ea1a3bb8d0dba08726

SHA512
98359385ea67d11faa17be6836cd0494d0a85c1a820d01ef4de28f3166e4b783fcd0571129cfc5e57483fffdcc8abb9a46461a6231a265e9d2588e485d801ba8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
095897958a2b34cf88cd0ce423d8821b

SHA1
23140b695f2b01f7ab117f79daa8f5f849149633

SHA256
528403d5bb544c21ededb0e8effc06a48d9435e6a66ae5fdd888d6140cba7657

SHA512
2170e6ba12a9330fa483f970151fe4f9d13cb8f7563202cd2f1f7f05b20edac39c22b04469b8eec29023ec54f39320c8f71d1c4dfc988a23922ce2947163cfe8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
3ded5cb7fca83ed5a91877162beae069

SHA1
cb373af199415c91b13f900e145d25cfac764e7d

SHA256
8df26e3027ae33209659062f6d28c082d8b97c82c21d8b63a04f9e3bae73f841

SHA512
fb92cda98e1162a88dbb161304aa8574eb538b28152537b87e3107ac3abe50f4195b26874c36e203f3fa48b5d44f1235ba1069f071935ddb932b1b4465b03d6a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c42698d772dd9bc95f30609cb4273624

SHA1
41c5131ff283e170709541d9eb56537d56cec04c

SHA256
33162feca55f0211eee02d5d895f66926a8c38e5a199025d828108632d07a0a0

SHA512
9c27db9ec78545dfd3900cbb253d20c1dc63ddc2feb1b28868801705256d5ea14ec397ab1cc1c232a5bc312d9240f12d49b7985d4e221868c69fb0a6088341bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
726KB

MD5
4014f4d2c50891e1c30604f4594f8977

SHA1
a34ba7c5839387400bef43e82da7ae3c7bbe02d9

SHA256
dad9a90aa2f978fdf261b5d5da5aa7f62ab2f15756270f47f8c1b0c516f578ae

SHA512
03c53558ef691da1fa1e3253dcef3f590e5667f9b424b3b8e503b1a37c216ba1f785ac054c8febca7b4da5fd043c59ed4ce2ac52049a25bba8a0ca38a1c6b38d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
51cb8d75fa0d308c8d4eaf81c50e1228

SHA1
2d398f92767e60a9fbc7eb58a6840c86deb688e1

SHA256
be31cd6765d3bf929d06c0ade138c73efc9964775b572b67322028b2b076d8f5

SHA512
a96db134aeecc58b5733ea09ce29efa1558fbe98637fdfa9293a15a446e564a6e5bb6d472a9413751777c9728256758e65d673dae1f16238caaa3fb055e7b57a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
448KB

MD5
2110a888ed2d5352382c31361afa8521

SHA1
570ed0aafdb51a74560a903000317f1f87fe60bf

SHA256
3734dd4541853809ea0af7344bb6aabdea226bed1fb3ddfa2c1b9b4c47068f3f

SHA512
918ed20d5f684f7e7262c20804b088f95ae40feefa9a8da92b258fcc64568d9793037a647f9fe8eeb165affad762c79e1d0f9f43bd8374f971e911894f2e5e25

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
d8f230c0ab8eefb521e5c3df3709d699

SHA1
9c7c4bba1f31fd99ce32fb8fc2697bff0e3929ba

SHA256
a120e26e9d53232f65819640b76e19e0549f5494b12e3f1a354d6c76450553f6

SHA512
c9857952203ff094eeea2d3e4b60b422fd9fed981cac788edf441b9b33de66a28cc1234c28849d96a87303f94e8911699d715e7970568f6ddf0a290ef5f74088

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
180KB

MD5
c5c8c6a8c63f273d1f57b8f54e8b6dae

SHA1
6f4b05a1649e5744cbaf404c928f341a9c4abcf7

SHA256
6b5d579a98046b6a594d04d617d84ef8a8a7bb1e627ffd9df2852aca0ea1caf9

SHA512
9cbb475ced0c60535b715be1c02c1a71b0ef63953dd06c89cc2be2106040fc651bed82128858ffad253cc2ddecb0f982f17ef954c39321b80b6d44dbcbd60af2

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.0MB

MD5
0ba8f018f63ab9bf319bd328889a4b1d

SHA1
5f31fa73c1a6ddc4c675393d62e01b89e9154fe9

SHA256
6bb43e9335e6873d2569b49b95f5206690e78405f1452b55cadf43f5ee0ffbce

SHA512
3d4c2de0d8f8fb86c546ab0f20d6557885d4a288bc67b4e7bd991fd88e17f7486d0e904060b63cf06d54acdc267e21fd7358463e56196ef98a93eee560ec346b

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
3312ab242ae97e6c79aa5376a4c406ac

SHA1
e2d3d821bd17ed844a52661feef4a76c7794fdce

SHA256
e53781ed26ea2b5689330897f144005cd6940de9c72851b17f7f8f222ee2be7a

SHA512
6dc7c2892ea79c6f668557f78b5572203d262d49102800fbd141e509fbd2e8f7738c520cc8b95954c05862ad246d4613b7e20a462bb5fdc4369293ab9aa83afd

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
166KB

MD5
ce3f63cc937b38ae009f67a10c48ef2a

SHA1
1da4f686dd50441b55e52a9fc2b0da28e43d0573

SHA256
4662251cb77082927ff0ed1183234efda40117a49566104fe0b11e30e4f0d272

SHA512
c4d4da2ebbc006de2e8038fcc5ad4d5a21d15c4d0b580b86091e572685d23f515601529390ca4f8342cfd50f8b9212fecc6fcad4d0d1c136a5a59274a768c336

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
1414e458971b9ce457253a05b08b5761

SHA1
0909bdb0e6c07f82d5640f025e6aa58cc2565781

SHA256
777f8788f808dfc7834e05dd785fc4c37f25aa6fff1067585b328f6579fb6e2f

SHA512
c1dbc849b8fbe0453bf40c78bcadedac90a87126c57127639cfcf3542fa54dfee036102908d5c6d48b7dd8a2fcc4c593dd94f2b2a2b12cdc1881dbd256a50a8e

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
232KB

MD5
19281a1f2fafe16c093928c5b91d2ea4

SHA1
70e934e053ac216f314336c5bc0df3a65ef5a09f

SHA256
3589eeee53c091f3eb37c8b1e758ebfa142bd29fbb472c7bdc648e292f1a3837

SHA512
9c59287337c4f4b03a996ceded5063a29497d6216dacd1720d618775a8c115439ff850ac4756f7cd09184862c2cb003f0824b890e1c5407663c11887cd5c7280

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
531bd41f918c47e29b1e4f96687f5a0d

SHA1
77d226f1fa72277ffbc4338f8f941f8f9dab8238

SHA256
23ff121d8fb999fdfc3323498ac794f28619c62e4c47ebb5038933229b2a09ad

SHA512
fdf528f0854145ee5355e5cbd0f184cdd1612ff095f268e9bfb919583f0b7a8c90fd082634fac991c468beca8d6598bec079e377707d7f8deef8e7898491c064

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
3ccb5aa538eb22b6dc2c2079240f4393

SHA1
3c576de847a8ad6e0ce2e756ea21aeb57fe7fa89

SHA256
f7e846ecc9b24f87a721f1835c9b512e6b84dae12a4f6dbe163dd0c3e648b533

SHA512
2e64d99a90dc670b26911c01235728110803ba5f2774f25636d91b4e5258d3f209e309c9d5cc16c27092f1cd5c0868d0dbfaaf36b8df2104d927604ff4364825

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
abd068aaa84ee73b0249450d8dc39c27

SHA1
ce229d683d4b8b189c89a97a80c0e1fb7a0e6049

SHA256
c92524a148baafe01815c8e4c6e2448460f6c375d42ca66ffc79fba569f37c35

SHA512
b26ac867f9e09357b10076977775e2572a0155e274e4b1b56f45eb556eda8b837f8de57c136a0ffef7a14ea278506cfe03d1167f69f0f5adc9a52aebc730ed49

Download Submit
\Windows\System32\dllhost.exe

Filesize
651KB

MD5
4c5494a9595e636996e3117f6f7bf4d8

SHA1
b07d6e72bfdc877c38447c560cc2f6e41bc66c4e

SHA256
867c038643dddfd90c6415c6dd0edabc7069916b0fe260b4baf5f9ecddc2997b

SHA512
235f487753e7647709b2d9284a67896a6f35066fbad92654eeb3fbbbdbda1d900f14174ade1812ff96f82c82dec5730755fad9594fb8a66b70f0c1a423d51c13

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
8a7848737d5c79bbbf74d9d9331e733c

SHA1
4c88f00aba7647eb1631425f21bac3f75818bebd

SHA256
20ae97a379329baf2e873cb81390b8a5584c5933a0d9fd569b86e166dd8d7d5d

SHA512
c694905e73b64373ce3288d6182eac60fa84bf4782e9454696b675d9f1c398404cc77127253b86328aae82ede621f130ba7624949903fe5a0e784db52e888ec6

Download Submit
\Windows\System32\msdtc.exe

Filesize
404KB

MD5
6d31b750c12bbaed078068ea6ff2647a

SHA1
60e83bb68fc7591b51dafe92aa8e7bd4b95d6036

SHA256
3b82081651384c6a7bbcbac60df1ed12f8a02e46c249940f31c0bff905ece2c0

SHA512
eaadf617803952db2f4905a3387974aeba72e521e563552ad01295fb3f711aaae90d6db7b021fdd13d02d293189b1fc7d93fb3ed745494b5de36b1b28eda24ad

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.1MB

MD5
17cb660a16dc452d474d5043e214a063

SHA1
7a52d39247dc463aca9ade086ba63b2cc46c791e

SHA256
fc2777cc59346ce090767c3c935c94a9194717e401b043371daee6f2a6235407

SHA512
9da51cbdc09dffaa0d8ea6b83656e71fcf793c2ca60ace48d6f31ef97369b5884779c1d1b2c9d92762ff843b455a9f66ffdb65745c12c5bc1362339f44d84b1e

Download Submit
\Windows\System32\msiexec.exe

Filesize
933KB

MD5
e8786fb93ea895fbb87cf1bc40a61c7f

SHA1
171af8999f5261ec5285dc65b0e6387c840e74b4

SHA256
e2f1cf8809012c4703213481dc974840949296ff1ff4558ef0f24bd8dfe2f7ae

SHA512
174f66b2a5bb0591ec3f9a50edd507eede01bd89f13e0d7f8655bae6cd921d61f1457c2d9b46e5e0e393f3b7da80676600d6b87d4d01d95e303ffc112104cc71

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
999KB

MD5
4d8d65dc8d1868bc25db17a15672ef5f

SHA1
40e3581a17fb20ff638d95ac5b81abfd702d17b2

SHA256
ad67d98e7a2dd975cf7b8515f10b06be2deab3fd99628ac19123136dd8577e4b

SHA512
52e0fd3df1e1785278d589f717ee2540f39ed3121ce9f04cbfc62bb439d26406326aa099e16c5a6f7e684f1001921415fcc1ad4e51a9489730b54e6b5ecfa42a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
2e365ef008b86b35bbc6c921fff3c8e5

SHA1
c4e80b30ac4950ee4c62fdd862f6bbe4f1bdfb18

SHA256
86976afbb2d47d6a5b6ee46a2c89e26961714268c992f038022e8673b5178438

SHA512
44a5804a76cfcead03569230533bbf8718b4a949cc07e1aaa5185c820c8db305002ad5b059248fe89b31db7b2b7602732e4c882423a78b7d4b78fe042a6a94a0

Download Submit
memory/884-206-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/884-214-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/884-273-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/936-95-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/936-97-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/936-182-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/936-89-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/968-150-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/968-144-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/968-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1280-239-0x000007FEF4C20000-0x000007FEF55BD000-memory.dmp

Filesize
9.6MB

Download
memory/1280-447-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/1280-245-0x000007FEF4C20000-0x000007FEF55BD000-memory.dmp

Filesize
9.6MB

Download
memory/1280-256-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/1280-449-0x000007FEF4C20000-0x000007FEF55BD000-memory.dmp

Filesize
9.6MB

Download
memory/1280-240-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/1280-169-0x000007FEF4C20000-0x000007FEF55BD000-memory.dmp

Filesize
9.6MB

Download
memory/1280-164-0x000007FEF4C20000-0x000007FEF55BD000-memory.dmp

Filesize
9.6MB

Download
memory/1280-165-0x0000000000EC0000-0x0000000000F40000-memory.dmp

Filesize
512KB

Download
memory/1660-219-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1660-218-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1660-190-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1660-191-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1692-137-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1692-117-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1692-226-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1692-110-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1692-109-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1692-197-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1920-180-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1920-184-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/1920-248-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2000-174-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2000-171-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2044-76-0x0000000000A70000-0x0000000000AD6000-memory.dmp

Filesize
408KB

Download
memory/2044-73-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2044-152-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2044-70-0x0000000000A70000-0x0000000000AD6000-memory.dmp

Filesize
408KB

Download
memory/2112-126-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2112-212-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2112-136-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2168-274-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2168-260-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2168-289-0x0000000074498000-0x00000000744AD000-memory.dmp

Filesize
84KB

Download
memory/2168-271-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2472-61-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2472-54-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2472-122-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2472-55-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2508-39-0x0000000000680000-0x00000000006E6000-memory.dmp

Filesize
408KB

Download
memory/2508-83-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2508-38-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2508-44-0x0000000000680000-0x00000000006E6000-memory.dmp

Filesize
408KB

Download
memory/2536-288-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2536-279-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2540-452-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2540-254-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2540-250-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2712-28-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2712-108-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2712-34-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2712-27-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2884-69-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2884-1-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2884-7-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2884-6-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2884-0-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2884-264-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/3008-241-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/3008-285-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/3008-231-0x0000000000550000-0x0000000000699000-memory.dmp

Filesize
1.3MB

Download
memory/3008-229-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/3008-287-0x0000000000550000-0x0000000000699000-memory.dmp

Filesize
1.3MB

Download
memory/3024-13-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/3024-21-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/3024-14-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/3024-88-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download