bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
Size

1.8MB
MD5

c8a4e3b8e574ed69fb172365f0f6a353
SHA1

c1f0868bea450b59bad50e78a9398adcd271aaa0
SHA256

bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49
SHA512

0f07797785ae6417afa87f5ea358f01f2353b9293be850cbe09be6ec8e74e1c9d92b122f6646ac3751b4b3ebe3cde49b7b4b94764b495f946e6608c7f308d2bc
SSDEEP

49152:Nx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAWkQ/qoLEw:NvbjVkjjCAzJ5qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 53 IoCs

pid	Process
464	Process not Found
2608	alg.exe
1580	aspnet_state.exe
2716	mscorsvw.exe
332	mscorsvw.exe
572	mscorsvw.exe
1340	mscorsvw.exe
2260	dllhost.exe
2164	ehRecvr.exe
2288	ehsched.exe
2556	elevation_service.exe
2416	GROOVE.EXE
2436	mscorsvw.exe
2344	mscorsvw.exe
856	maintenanceservice.exe
2040	mscorsvw.exe
2892	OSE.EXE
2932	mscorsvw.exe
1896	OSPPSVC.EXE
2496	mscorsvw.exe
1952	mscorsvw.exe
752	mscorsvw.exe
1152	mscorsvw.exe
2032	mscorsvw.exe
2700	mscorsvw.exe
1200	mscorsvw.exe
784	mscorsvw.exe
2712	mscorsvw.exe
1916	mscorsvw.exe
2140	mscorsvw.exe
2300	mscorsvw.exe
1156	mscorsvw.exe
2624	mscorsvw.exe
1316	mscorsvw.exe
1332	mscorsvw.exe
2352	mscorsvw.exe
2212	mscorsvw.exe
2272	mscorsvw.exe
1996	mscorsvw.exe
2452	IEEtwCollector.exe
2884	msdtc.exe
652	mscorsvw.exe
2624	msiexec.exe
2496	perfhost.exe
296	locator.exe
700	snmptrap.exe
2328	vds.exe
2588	vssvc.exe
2780	wbengine.exe
3044	WmiApSrv.exe
1040	wmpnetwk.exe
864	SearchIndexer.exe
928	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2624	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
724	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9d890bb89a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\GoogleCrashHandler.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_de.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_fi.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_iw.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_en-GB.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_bg.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_bn.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_ro.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_th.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\psuser.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_gu.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_is.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_es-419.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4347.tmp\goopdateres_zh-TW.dll	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5AC2D2B4-7ABB-4541-8BE3-D64FADB4600D}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5AC2D2B4-7ABB-4541-8BE3-D64FADB4600D}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{90663BA8-9DB5-4B23-803A-444878D13670}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{90663BA8-9DB5-4B23-803A-444878D13670}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2464	ehRec.exe
1580	aspnet_state.exe
1580	aspnet_state.exe
1580	aspnet_state.exe
1580	aspnet_state.exe
1580	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1620	bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: 33	2868	EhTray.exe
Token: SeIncBasePriorityPrivilege	2868	EhTray.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeShutdownPrivilege	572	mscorsvw.exe
Token: SeDebugPrivilege	2464	ehRec.exe
Token: 33	2868	EhTray.exe
Token: SeIncBasePriorityPrivilege	2868	EhTray.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeDebugPrivilege	2608	alg.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1580	aspnet_state.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeSecurityPrivilege	2624	msiexec.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeBackupPrivilege	2588	vssvc.exe
Token: SeRestorePrivilege	2588	vssvc.exe
Token: SeAuditPrivilege	2588	vssvc.exe
Token: SeBackupPrivilege	2780	wbengine.exe
Token: SeRestorePrivilege	2780	wbengine.exe
Token: SeSecurityPrivilege	2780	wbengine.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeDebugPrivilege	1580	aspnet_state.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: 33	1040	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1040	wmpnetwk.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeShutdownPrivilege	1340	mscorsvw.exe
Token: SeManageVolumePrivilege	864	SearchIndexer.exe
Token: 33	864	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2868	EhTray.exe
2868	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2868	EhTray.exe
2868	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	SearchProtocolHost.exe
2736	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2436	1340	mscorsvw.exe	41
PID 1340 wrote to memory of 2436	1340	mscorsvw.exe	41
PID 1340 wrote to memory of 2436	1340	mscorsvw.exe	41
PID 1340 wrote to memory of 2344	1340	mscorsvw.exe	42
PID 1340 wrote to memory of 2344	1340	mscorsvw.exe	42
PID 1340 wrote to memory of 2344	1340	mscorsvw.exe	42
PID 572 wrote to memory of 2040	572	mscorsvw.exe	44
PID 572 wrote to memory of 2040	572	mscorsvw.exe	44
PID 572 wrote to memory of 2040	572	mscorsvw.exe	44
PID 572 wrote to memory of 2040	572	mscorsvw.exe	44
PID 572 wrote to memory of 2932	572	mscorsvw.exe	46
PID 572 wrote to memory of 2932	572	mscorsvw.exe	46
PID 572 wrote to memory of 2932	572	mscorsvw.exe	46
PID 572 wrote to memory of 2932	572	mscorsvw.exe	46
PID 572 wrote to memory of 2496	572	mscorsvw.exe	48
PID 572 wrote to memory of 2496	572	mscorsvw.exe	48
PID 572 wrote to memory of 2496	572	mscorsvw.exe	48
PID 572 wrote to memory of 2496	572	mscorsvw.exe	48
PID 572 wrote to memory of 1952	572	mscorsvw.exe	51
PID 572 wrote to memory of 1952	572	mscorsvw.exe	51
PID 572 wrote to memory of 1952	572	mscorsvw.exe	51
PID 572 wrote to memory of 1952	572	mscorsvw.exe	51
PID 572 wrote to memory of 752	572	mscorsvw.exe	52
PID 572 wrote to memory of 752	572	mscorsvw.exe	52
PID 572 wrote to memory of 752	572	mscorsvw.exe	52
PID 572 wrote to memory of 752	572	mscorsvw.exe	52
PID 572 wrote to memory of 1152	572	mscorsvw.exe	53
PID 572 wrote to memory of 1152	572	mscorsvw.exe	53
PID 572 wrote to memory of 1152	572	mscorsvw.exe	53
PID 572 wrote to memory of 1152	572	mscorsvw.exe	53
PID 572 wrote to memory of 2032	572	mscorsvw.exe	54
PID 572 wrote to memory of 2032	572	mscorsvw.exe	54
PID 572 wrote to memory of 2032	572	mscorsvw.exe	54
PID 572 wrote to memory of 2032	572	mscorsvw.exe	54
PID 572 wrote to memory of 2700	572	mscorsvw.exe	55
PID 572 wrote to memory of 2700	572	mscorsvw.exe	55
PID 572 wrote to memory of 2700	572	mscorsvw.exe	55
PID 572 wrote to memory of 2700	572	mscorsvw.exe	55
PID 572 wrote to memory of 1200	572	mscorsvw.exe	56
PID 572 wrote to memory of 1200	572	mscorsvw.exe	56
PID 572 wrote to memory of 1200	572	mscorsvw.exe	56
PID 572 wrote to memory of 1200	572	mscorsvw.exe	56
PID 572 wrote to memory of 784	572	mscorsvw.exe	57
PID 572 wrote to memory of 784	572	mscorsvw.exe	57
PID 572 wrote to memory of 784	572	mscorsvw.exe	57
PID 572 wrote to memory of 784	572	mscorsvw.exe	57
PID 572 wrote to memory of 2712	572	mscorsvw.exe	58
PID 572 wrote to memory of 2712	572	mscorsvw.exe	58
PID 572 wrote to memory of 2712	572	mscorsvw.exe	58
PID 572 wrote to memory of 2712	572	mscorsvw.exe	58
PID 572 wrote to memory of 1916	572	mscorsvw.exe	59
PID 572 wrote to memory of 1916	572	mscorsvw.exe	59
PID 572 wrote to memory of 1916	572	mscorsvw.exe	59
PID 572 wrote to memory of 1916	572	mscorsvw.exe	59
PID 572 wrote to memory of 2140	572	mscorsvw.exe	60
PID 572 wrote to memory of 2140	572	mscorsvw.exe	60
PID 572 wrote to memory of 2140	572	mscorsvw.exe	60
PID 572 wrote to memory of 2140	572	mscorsvw.exe	60
PID 572 wrote to memory of 2300	572	mscorsvw.exe	61
PID 572 wrote to memory of 2300	572	mscorsvw.exe	61
PID 572 wrote to memory of 2300	572	mscorsvw.exe	61
PID 572 wrote to memory of 2300	572	mscorsvw.exe	61
PID 572 wrote to memory of 1156	572	mscorsvw.exe	62
PID 572 wrote to memory of 1156	572	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe
"C:\Users\Admin\AppData\Local\Temp\bb61ad20b64ec005a75fb56ae137731a3ab139d6e0ed92ca902751a358ba0f49.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2716

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 258 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 254 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1dc -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1dc -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 244 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 274 -NGENProcess 1f4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1dc -NGENProcess 248 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 270 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 270 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 298 -NGENProcess 1dc -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1b0 -NGENProcess 270 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1b0 -NGENProcess 270 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 2a4 -NGENProcess 1dc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 254 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1b0 -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 26c -NGENProcess 1f4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2164

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2416

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:856

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2892

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1896

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:864
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
2f0822ff48ec89adffd2ac880cbfb7ee

SHA1
3bfd6667c49187be31b65163e27107fae30ff0ed

SHA256
97bcb039e9663a74148512ec2e3a6fe333894ec6d996d0a8280e56c6a4d60280

SHA512
679659600705e3d211c6aec8d34a96cfea4a2783e2f9b40c882079cb3c1ada45a9559ed77740e43543f942ff5b2b0af0036e6975d575f1180d90529a54c3497f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
7.4MB

MD5
c15ab6ef54e79f4abcbe9f9fed5c3ac3

SHA1
83cc7265c099148f3579b66a2d40354d8cd61bd9

SHA256
5fcc339d22d4941e7656049f8948165cf8a3874659dd60f23b2597b850a1650a

SHA512
90316e947ef17e032fa29952fe53cf5fb45bf1926d1420f1348d5c625446a03e840ad80bb61b0e1fe9ac1bb003cc641b7f0c6aa9a7332887b97a0f6a47b0249f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7deca0fb156166c6eeac3bc10d377a53

SHA1
d63d8170e26b3cab23c4859e9fc041f24c90584a

SHA256
634f7a0cea28af9a285029eb83a9dd39dad50929c473daa1665b648372b17e8e

SHA512
b3cf865cb9c0ec77e0baae2645fd464643acfd13ea0e137dbe2f428566a335277a8ad9c4269caf9e4a15bd5a7e4d1c771cd3979a9bef2ac9f17a4e99d48f704f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
3.9MB

MD5
a7ac61ba38d39bfff56c263ede9ffa98

SHA1
c15f4d7d4314dfe25bc5a70dea5cc786fd24e11a

SHA256
e3af24ad9759e8201626162cdf5f640dd3fb3cc7a960390b939923c248b3cbd6

SHA512
e249cb11fdb67e678de7d5093ccb358b945a10b3e0795764bdd8f0f98f7c1b50ceba25c0361ba4e507b31d0f3a987966cc14ebcc64258eb4b136c7461cc6b8ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
dd0db3da373bdd2613a75db1053daf0e

SHA1
8b847800608def632d7ccc6770527dc62ea14f65

SHA256
8adb8bbd530401000c08937bbc41ab9d565b302f4ea99055bfe66478438f5721

SHA512
c499711291f2074be1f68e345625ba20cd997dc78ff9524e704d523c99aa6c6a848fb3994c5135297df09f187101285966ca13ea494f76e379e506b5be1357dc

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
9b79aa7eb1420458de1fcfebcad4d48f

SHA1
11f56dddac1e89d180016fbe6ce83ca303ff0785

SHA256
336f01fde15594130440c9c119e5ebc5402cff095302f9e00a25add190fd6886

SHA512
74e78caeefb27d006e0caaccb6ae36b9fcb505c5c091c30e636bc47014371b68dd8757352e98a59ad90dadea4451c9af1fc31ca1deb775ca8a744ca15129145a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
cb88f2ff17b674ccea8109637c6c6f90

SHA1
409a3bfd4e570c35eee49cfdd8874d1a4b4ee0a3

SHA256
7106c893800fa4dbe1be2fe10791713d6fcf704b14a36b809ed28ebd0e9a0c24

SHA512
dc259cb50da8508c100fd777e187ff18cb71ebebe742701ed433d5d1af99d1260143455bc36b9fed651bc5df3af446b821fe2a287712293cd4bf8baac735c957

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9964a2c4f3787188d9d79be169e74f4a

SHA1
1edda2034d737e4a65d9fab8708dadec02a8421b

SHA256
1d7c5531dc38a6c53390ad056bb44be466b0a04456fcd16fba06bcaaae01f36e

SHA512
c7cc1937f81321db6bcad325c55a9783534a0f5de4b59b33191d405ecdf56cbd5d5135c75bbe7c9ebd5fb0d6c4b001d6091adb830297a6da3c2157f3036df22e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
768KB

MD5
dfca9c045222ed545cd539b1b7d3f7e8

SHA1
3d86a7745dd956ca9e67d96439fa86d34c335039

SHA256
f9e47ffc6f95256b5825f3b2794d37c72deffb2d4e102f5647c623bcfd21de0a

SHA512
3789db370f00676ccda0380b89e1a5fee65a5e1fe3d331ca5716dfc1bab60b89a18ae6084f2523e4381a7156bea242a35f54151bbc797c1a57a55412ea9d1cc5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
0a190472054c3f0afcd1006cc4bf41b9

SHA1
87a64a9c64417b857c9c21535d34fb98856e0dc3

SHA256
9b1babad1fe3d5d2014cb43488408dd33632f937f2d2cb5aed3ac6030247a205

SHA512
46d8e39f222c29e817be2b0c92044e4c12c0b8391bbb792bf395274eabe553848e2d9eb19a847b4a89a55a5f06c61d77bd380edaf76a52c355a5ffe81b91b756

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c03a11c6c1295258a79c04566aaa2891

SHA1
72732d4a72113f5a70e4e8a72167f6a039d15daf

SHA256
0deeeb00baecbc282fc6a539465eb3f3712717d47162d8832e2c97172916f122

SHA512
72f6ac889654a504791330dd9333826db22bb7f2144e0c42ffff006b59fe727da5c811952a60a363303cb019faabd44a50e62d2a9cac5dee8af0d0c476e06943

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
a76c86f0ded02916d1cc4905c3100290

SHA1
3c38fa0621725212f317ee4230b87f678f132fd9

SHA256
47a848d4fa23fbfa3c16d57d90125c117274c78d4447b0c2cbc6b185f2a2dbd8

SHA512
13971070309099f6db53146472bc39864a76073057a6a8113fa28d92170e51dad6520162704f75d0b52b68b32f95b332278f17690dd76600b92586bac777e708

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
384KB

MD5
a370e8a89d29ca93d6695fb8442ee477

SHA1
bdb9170d7fdf4dab9e74e3d9bb62fe523ed07a15

SHA256
8f83c746d881530ca1979672d4778ebdc8b20b43124699d41c2cd69c4bdadecc

SHA512
4d257836faa02cf44d7ddc6bf0befcb8480e5f821b32ad0f27bbb3124e6f3cd4fb0f90ae2ae226ea874e4aead7a3a97b7d0996af1bcfbdf47f93769ff7910644

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
448KB

MD5
c1ad441bd0eac99c2d9e3507a2478576

SHA1
a6aefc76085b36b46a30e93a92aec68180c233a4

SHA256
485b1c12d78401c777d671d225772dbecd8666627b8ea056b54180597e435be2

SHA512
586f5608042ed65dc5746e71d0355fafbae49d41a19b411aa326fa8778d5067a0f47acdc2129301bfd78b0c5089224255cf8eec0082e899c4146c52af4dff188

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4e800acb46ad0193712d4656609a9fd1

SHA1
c630247b23a4cd34a3f080a92119ae57d1a108a1

SHA256
f8535793a2efeaf9ef336e1276d1e01d57e8370b3083c0dfe5e82b6a3f9ef28c

SHA512
be0baaae3bdc85dfc0e67588d3b965c713795e0884ac8aae101acf7d0c7c533e54ee8cb8c479213699b5000dff18f20410584d09cb2440d87fa948a5e175269d

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
824d894f34f6aa6287f934b9af539fa5

SHA1
4c9d7d61fa1f923aa74ce2e803d2b1cecc728d0d

SHA256
b4351c23bcf0911d96b3c6f1035248877cb484248ad5134e9a88f9f28182d4b3

SHA512
564a26c77fcf5f99ea1d70b57d4fa602af9bb9d8e76c3040bca549da6eed9f1a436cba87bb793cb5e6360d95998464b1257181aaafd87a97284b5e7d423ec419

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
b0ade27ed3cf57e2f9f57382602e70a3

SHA1
cb73b6bb08bfc4d4061ede9ffb9173b7a7729b48

SHA256
548fd17871b8831ff204ce0ecbf23425b7643620ac100d3ae12089a4410671cf

SHA512
e6e7b6a010084c8f946340eff715cc6838a18c0874943c25c4e15aabe72f656741b8a204accb3acaafc70898f56ee4072e72b705525a850bd31f6e8f4d93717f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
896KB

MD5
589d7f402c5527c185fede4c5b72db04

SHA1
669c2d1f5b0ecab5ad60def46244e74d8ea84278

SHA256
75835a9fcf7005b8e87f1ed4e8f26269b56d360e5a3d27eede295c5d676f2847

SHA512
6ec92340e902b89d68d0750ed18b19c71eb492163be9e1145e4337cfe15fef3b8095c4ca74f4e1b589fdb6c8be0e62cfee3b41ab884b46144c83dc01b20b79f9

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
192KB

MD5
32c94d30167536464536fd8aedada15b

SHA1
cb66cfcf11b220747385ea8341f87a9ba1c1b679

SHA256
a5083db9c3c4bff6a84e5c9b591fc339f45004be95c0435dbc645ffbeee86954

SHA512
40d2061f0254f15b2fa3f1cd18a0ec5828f552a0587e83097faddc459105ba47661011087b1a9791661e768dcb9485ebf1042d93d3d7ecb14707fff9467ee437

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
4c42bf444817110b0e910bdabf62c3fc

SHA1
3955d70e20e65f042b4306cb8c2ed5e7c1e82a35

SHA256
2b215a47a4910f55f0b4225fff8c69a0de54ca68a98cc6f5c578705537471247

SHA512
97804e173b87ef665c7efa8fb5cfedc4448ab1578142076ea60f30c705e65926a6d11c9f6a856ff0862707c873b281da75ed237fe134f99f8976e39e53b5b492

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
181b4661140b5c52a9b083f7441665fd

SHA1
e781f1fc79cdae25b62f32b7cb4224abb7864f7c

SHA256
bef16be8b8d8b12d4192b1ff59d15ed1ff44234e15ec3790acb8c27c8ea724a9

SHA512
72eed7a76e1f24d4649dcc808b28ef387165a71a5da3358b999157ff582ffa74c9e7164c7e1557be836c6b386d63a1765aeed023464acf695d98b6fd860462ec

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d81fcb98e90973d9b73f9595f8800698

SHA1
fbb1a68fe7ec24d9a8f97edc281b5b8f3be9c439

SHA256
206e8bff1e87d12638e7c7691505877cbc4c5d7afac112aef035dd35a97d0b8a

SHA512
febab3162ffbd4a3ab342d185fa787593f804b2f2601de587c6b9a68097196c4a584b5f3a310a62ce650d0642dbb93a96cdab6e99f28822a93e19c33be429bb5

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
a4545233386e5198d6f82709cd3c2ba9

SHA1
d3c9c672b02d1e4827a9124f6140fbf33dc6fecd

SHA256
f1e80cc9c45b8a2bec37bd1b3b3d8631506b5e71a72b426177ffed2fcd89f1a8

SHA512
5316d0a75e50adde7b1b85d22c15dec4590300c6e36c696d585dd3d00d298a708eb98e0f07706d5845fb177f182d0e6b5ea3124d9f9b5ac339fefcd170c7ece4

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
53417949555bf61e7953def36dac7930

SHA1
f6ae1bea1828ed69696dd356e86653b90a46bf83

SHA256
1e7796f8c5f8e0406beb08ac96d24cf6c07659f571702f98338d9466c10b7081

SHA512
e93035322a0231597c55fe851bd4e011b975a277739e80f05c4c8082ccb75588cec7cc33fdb31708896982a0e50477cbaa06042e60e42160fff07992f53d1639

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
72cacf73d33af84b90866882c99e0dec

SHA1
0a11aeb37198868a1c331cb4b53052f041923aa7

SHA256
a3246db8ddc54c5a388dcbc6be35d184187ce7b10717d3f53aff0d115c7470bd

SHA512
2295d100d82448c5df90110502b01c7a1693bec59095f85d0ba6719307e2d935bca0eb492fa76519d61291a81dd79eef96c96d24b07d006e42ef9db5e64d30cc

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6c5313c2aefbc37cf7adbcb541ae05c5

SHA1
5d5fd2754fbb8acd172fe811b8d84442e2ecbbf2

SHA256
89be30eed01b3a855163ba7c6234d50d37a1aab8503c0a3ecf7a9b17336ad718

SHA512
22f6db5d3ab8f1281d3edfecd98b05451a8872c34fc3602c8a16e5f11ce85c00bb6f7ea9f86edf39fa085011d900489af9f061a7407b74879e152e7ecca011c1

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
cb71c5dc6d6aa5b16d0987d490103ad7

SHA1
63b4a7b8a9a193a3db39fdb5368b3087602940eb

SHA256
4f9e48ec7f6609395580619d518f74336417495de15ac5b05655b8a6250360fc

SHA512
70b396bc06ebf4203d73aa83e7a059b9259d77d1c8408177f5058bb7785689c6bcfa9993d660549dc8c72371380cbdd7afb71cd5869c682f324fd9c017630817

Download Submit
\Windows\ehome\ehsched.exe

Filesize
256KB

MD5
05e8135f030609b03cd2f39bbb2465aa

SHA1
4fd6d1b6f8f77a78e961fff082415211b22e5792

SHA256
ce2990aaf0164f0139b16b2f9596fcca2be294c233ac7962078229d67f4b4733

SHA512
f8d586315a225d3fecfe962a7670fcc8045e115320c8212b986339d715ca72e175271894e2a283ef15e321c92347bf78a333d41908ec907d1936f7a1e19cc1ad

Download Submit
memory/332-177-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/332-122-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/332-121-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/332-130-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/572-146-0x0000000000B00000-0x0000000000B66000-memory.dmp

Filesize
408KB

Download
memory/572-290-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/572-139-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/572-140-0x0000000000B00000-0x0000000000B66000-memory.dmp

Filesize
408KB

Download
memory/572-145-0x0000000000B00000-0x0000000000B66000-memory.dmp

Filesize
408KB

Download
memory/856-357-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/856-363-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/856-391-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/856-392-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1340-158-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1340-295-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1340-162-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1340-166-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1580-181-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1580-101-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/1580-94-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/1580-93-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1620-276-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1620-138-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1620-1-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/1620-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1620-6-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/1896-424-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1896-428-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1896-431-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2040-377-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2040-382-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/2040-393-0x0000000072680000-0x0000000072D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-202-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2164-193-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2164-293-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2164-365-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2260-180-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2260-188-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2260-311-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2260-184-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2288-375-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2288-282-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2288-292-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2344-372-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2344-371-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2344-370-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2344-361-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2344-356-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2344-355-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2416-354-0x0000000000450000-0x00000000004B6000-memory.dmp

Filesize
408KB

Download
memory/2416-327-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2416-412-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2436-360-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-352-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2436-351-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2464-384-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/2464-386-0x000007FEF3CE0000-0x000007FEF467D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-364-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/2464-362-0x000007FEF3CE0000-0x000007FEF467D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-353-0x000007FEF3CE0000-0x000007FEF467D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-332-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/2556-297-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2556-395-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2556-305-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2608-31-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2608-24-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2608-87-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2608-159-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2716-112-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2716-156-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2716-105-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2892-399-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2892-414-0x0000000000560000-0x00000000005C6000-memory.dmp

Filesize
408KB

Download
memory/2932-430-0x0000000072680000-0x0000000072D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-421-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2932-418-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download