bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61

Analysis

max time kernel
130s
max time network
158s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
Size

1.8MB
MD5

08210cb249ac42c07ce4dcc70a12b69f
SHA1

8bffa115112bf52ed65c7887776307e00168bc06
SHA256

bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61
SHA512

9d7c6e346feee8ec49a35d6ffdc737c61bb3cc5c0c9e970c85380da4440ad8b1e1c7568568809db1cefe0aa966fb10c3e5ea8d722cda7ee4ebff0d8abba8e3e8
SSDEEP

49152:UKJ0WR7AFPyyiSruXKpk3WFDL9zxnSxUSCfmzz9YVgY:UKlBAFPydSS6W6X9lnnSC+zzKi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
468	Process not Found
2708	alg.exe
764	aspnet_state.exe
1492	mscorsvw.exe
2220	mscorsvw.exe
1976	elevation_service.exe
1552	GROOVE.EXE
964	maintenanceservice.exe
2168	OSE.EXE
1268	OSPPSVC.EXE
880	mscorsvw.exe
908	mscorsvw.exe
1784	mscorsvw.exe
2264	mscorsvw.exe
1904	mscorsvw.exe
2300	mscorsvw.exe
2560	mscorsvw.exe
2540	mscorsvw.exe
2228	mscorsvw.exe
2352	mscorsvw.exe
2164	mscorsvw.exe
2496	mscorsvw.exe
1688	mscorsvw.exe
796	mscorsvw.exe
2812	mscorsvw.exe
780	mscorsvw.exe
2276	mscorsvw.exe
2520	mscorsvw.exe
2436	mscorsvw.exe
948	mscorsvw.exe
2704	mscorsvw.exe
2176	mscorsvw.exe
1640	mscorsvw.exe
1756	mscorsvw.exe
2124	mscorsvw.exe
1032	mscorsvw.exe
2912	mscorsvw.exe
2520	dllhost.exe
2492	ehRecvr.exe
1792	mscorsvw.exe
2548	mscorsvw.exe
2376	mscorsvw.exe
2496	mscorsvw.exe
2092	mscorsvw.exe
1648	mscorsvw.exe
2756	mscorsvw.exe
2428	mscorsvw.exe
2464	mscorsvw.exe
2736	mscorsvw.exe
2616	ehsched.exe
1496	IEEtwCollector.exe

Loads dropped DLL 12 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2092	mscorsvw.exe
2092	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b587bd625465f8f4.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_id.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\psmachine_64.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_it.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_pt-PT.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\GoogleCrashHandler64.exe	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B262F552-36A4-4AFD-A8FD-D1AE5D349D55}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_hi.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_et.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\GoogleUpdateComRegisterShell64.exe	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_es.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_nl.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_sv.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_zh-CN.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\GoogleCrashHandler.exe	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_mr.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File created	C:\Program Files (x86)\Google\Temp\GUM781D.tmp\goopdateres_th.dll	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe

Drops file in Windows directory 51 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2B49653F-AC10-469B-BCF7-0ACF7582388E}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP455A.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2B49653F-AC10-469B-BCF7-0ACF7582388E}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4E4F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP584D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1164	bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeDebugPrivilege	2708	alg.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	764	aspnet_state.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe
Token: SeShutdownPrivilege	2220	mscorsvw.exe
Token: SeShutdownPrivilege	1492	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 880	1492	mscorsvw.exe	37
PID 1492 wrote to memory of 880	1492	mscorsvw.exe	37
PID 1492 wrote to memory of 880	1492	mscorsvw.exe	37
PID 1492 wrote to memory of 880	1492	mscorsvw.exe	37
PID 1492 wrote to memory of 908	1492	mscorsvw.exe	38
PID 1492 wrote to memory of 908	1492	mscorsvw.exe	38
PID 1492 wrote to memory of 908	1492	mscorsvw.exe	38
PID 1492 wrote to memory of 908	1492	mscorsvw.exe	38
PID 1492 wrote to memory of 1784	1492	mscorsvw.exe	39
PID 1492 wrote to memory of 1784	1492	mscorsvw.exe	39
PID 1492 wrote to memory of 1784	1492	mscorsvw.exe	39
PID 1492 wrote to memory of 1784	1492	mscorsvw.exe	39
PID 1492 wrote to memory of 2264	1492	mscorsvw.exe	40
PID 1492 wrote to memory of 2264	1492	mscorsvw.exe	40
PID 1492 wrote to memory of 2264	1492	mscorsvw.exe	40
PID 1492 wrote to memory of 2264	1492	mscorsvw.exe	40
PID 1492 wrote to memory of 1904	1492	mscorsvw.exe	41
PID 1492 wrote to memory of 1904	1492	mscorsvw.exe	41
PID 1492 wrote to memory of 1904	1492	mscorsvw.exe	41
PID 1492 wrote to memory of 1904	1492	mscorsvw.exe	41
PID 1492 wrote to memory of 2300	1492	mscorsvw.exe	42
PID 1492 wrote to memory of 2300	1492	mscorsvw.exe	42
PID 1492 wrote to memory of 2300	1492	mscorsvw.exe	42
PID 1492 wrote to memory of 2300	1492	mscorsvw.exe	42
PID 1492 wrote to memory of 2560	1492	mscorsvw.exe	45
PID 1492 wrote to memory of 2560	1492	mscorsvw.exe	45
PID 1492 wrote to memory of 2560	1492	mscorsvw.exe	45
PID 1492 wrote to memory of 2560	1492	mscorsvw.exe	45
PID 1492 wrote to memory of 2540	1492	mscorsvw.exe	46
PID 1492 wrote to memory of 2540	1492	mscorsvw.exe	46
PID 1492 wrote to memory of 2540	1492	mscorsvw.exe	46
PID 1492 wrote to memory of 2540	1492	mscorsvw.exe	46
PID 1492 wrote to memory of 2228	1492	mscorsvw.exe	47
PID 1492 wrote to memory of 2228	1492	mscorsvw.exe	47
PID 1492 wrote to memory of 2228	1492	mscorsvw.exe	47
PID 1492 wrote to memory of 2228	1492	mscorsvw.exe	47
PID 1492 wrote to memory of 2352	1492	mscorsvw.exe	48
PID 1492 wrote to memory of 2352	1492	mscorsvw.exe	48
PID 1492 wrote to memory of 2352	1492	mscorsvw.exe	48
PID 1492 wrote to memory of 2352	1492	mscorsvw.exe	48
PID 1492 wrote to memory of 2164	1492	mscorsvw.exe	49
PID 1492 wrote to memory of 2164	1492	mscorsvw.exe	49
PID 1492 wrote to memory of 2164	1492	mscorsvw.exe	49
PID 1492 wrote to memory of 2164	1492	mscorsvw.exe	49
PID 1492 wrote to memory of 2496	1492	mscorsvw.exe	50
PID 1492 wrote to memory of 2496	1492	mscorsvw.exe	50
PID 1492 wrote to memory of 2496	1492	mscorsvw.exe	50
PID 1492 wrote to memory of 2496	1492	mscorsvw.exe	50
PID 1492 wrote to memory of 1688	1492	mscorsvw.exe	51
PID 1492 wrote to memory of 1688	1492	mscorsvw.exe	51
PID 1492 wrote to memory of 1688	1492	mscorsvw.exe	51
PID 1492 wrote to memory of 1688	1492	mscorsvw.exe	51
PID 1492 wrote to memory of 796	1492	mscorsvw.exe	52
PID 1492 wrote to memory of 796	1492	mscorsvw.exe	52
PID 1492 wrote to memory of 796	1492	mscorsvw.exe	52
PID 1492 wrote to memory of 796	1492	mscorsvw.exe	52
PID 1492 wrote to memory of 2812	1492	mscorsvw.exe	53
PID 1492 wrote to memory of 2812	1492	mscorsvw.exe	53
PID 1492 wrote to memory of 2812	1492	mscorsvw.exe	53
PID 1492 wrote to memory of 2812	1492	mscorsvw.exe	53
PID 1492 wrote to memory of 780	1492	mscorsvw.exe	54
PID 1492 wrote to memory of 780	1492	mscorsvw.exe	54
PID 1492 wrote to memory of 780	1492	mscorsvw.exe	54
PID 1492 wrote to memory of 780	1492	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe
"C:\Users\Admin\AppData\Local\Temp\bdb6865dd6b70ecf8631c6e45d4aa323f13102329da745e70fd3f9bb1220ff61.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 254 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1ec -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 26c -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1ec -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 268 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1ec -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1ec -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 27c -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 28c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 26c -NGENProcess 244 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 240 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 298 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 244 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 240 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 244 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 2b0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 228 -NGENProcess 240 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 248 -NGENProcess 298 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 228 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 248 -NGENProcess 250 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 228 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 228 -NGENProcess 248 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1e4 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 228 -NGENProcess 1c0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 228 -NGENProcess 250 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 288 -NGENProcess 1cc -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 228 -NGENProcess 284 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 284 -NGENProcess 288 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a0 -NGENProcess 2b4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 154 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1976

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:964

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2168

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1032

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2912

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2520

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:748

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:2132

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1936

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:1436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:796

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2772

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1800

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
6bfb69bb6344014c6e6e647f5dd0f015

SHA1
e027ad5b719df38c2433ab81526b1fcc15dc1316

SHA256
7d8132aeb7f69afafc02cf855f6c9b47c748ce7e45a85efcaf8f253d63dcc528

SHA512
578c74aab35507b179a1cda088a6562c9637e861aef2c49ca3b75473fac955c713f44a1f9a8e5b02862d548b66225f3a28bb6b949fc01dbaafa8555424bb6140

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
7.5MB

MD5
a4a0f49d85770d060c1444eb432583fa

SHA1
360869768b453696cbb5f382fe4a722a8d983134

SHA256
8b8f22dc4d2eb8cd39f845111df51bc86430db40e8735ded3f8ea9f13587222b

SHA512
a7f05e54189ff33beab7ba8a4a6920c01090ad2bfafbfcf701f7dea71bf7dda69a7ccc6580c876b794bcac073c23add46462dddd7d3bf77c29a8a1c4cc368bdb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
d4dda58c802d09c81ad94f3d8f05a699

SHA1
8e5641a60b711f5281a46fdb24a47069d4f0736a

SHA256
c7c9b8a43403cfd72a1f9dc4c21883371d40d984ee3a7f230256987a561416c5

SHA512
1b45df1abfde2fcfce55a0cb38a4d07f79131d5add9648d132d16905042c31efab9f8d2132199f058d9b457704246c1e65bc607fbe6292caf709dc7b1f95cbab

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
3.2MB

MD5
24fcba8eb7e166d85d3705b17cbc92c4

SHA1
4c47d8999ba51ad1d8b0f29edcbc8102e0acb966

SHA256
2441672b058fd6964684e390d7f096193d08d7d3fb01da65f612f57642535450

SHA512
f16eee2fdc7868077bc4e01523908c2975ac1c7aeb3330cf9d712449ebd1b93491a5a5d559925829d2ca4973b14d0a6e3cdeb61e4d1bd272897a2b6a93b61216

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a68c661356713e73c64439fd3ccc5a63

SHA1
232fbd0d65dd1369605ef0262a4ec9be940e2398

SHA256
ad049bc5c478cecdabec21052e4480649d0a28d8ef07d6e2a193b0de42055143

SHA512
251bb3952060c413db30feabc6a044f1d80ea77708ec06b5c6d75bcd151736104c44b39deb201123a480fd94b592d706ddcaf2dfcc468032f194d0377e6b4ef6

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c6c09716cabf2a8492f03b877b2d2a07

SHA1
cb6e3ddb0ff946d8fa0345fa5381ead2b3eccadb

SHA256
80d1e6033351021783f6284a4abb80913d1e82c09d19ede91e9ae4f367dce84e

SHA512
a6f2c0c70820957de373e6546ceca809c8997cff233434b28cfaf80352a81628b7f6c6ea18f7dc5c0729b071507bcf92d6843a54c0d29c609a28525152d825fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
27195092edba4823652bf726e8a54b03

SHA1
17b9065abdd79153a4b1225270b19aa6f080b742

SHA256
254369c303fd7761ea6d1f95851c19808025c225bedf067a6d5449ce00bb6399

SHA512
14203b771c899a37179f63246bfd712bf5f03e56624bb08adb72e72d64553069c30a6588939b7108109e77982b213d21ea1d84dfff48da15c8c77b0ab294f8a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
a7b7bc84de12d97c7f9e3dd3af3d8049

SHA1
847065de2d69aced417492a3a24369808c8ea44c

SHA256
215be2f9c34cac3d7cae6037f62c2aa6c621f3aa8fea158839cbad750456652f

SHA512
197ce9c32d63d745e8af9836cd7946e9d5094ba7688ddc4bfc43c52e369041e1ef7075ac99ed141334012ae527485a7a666fcfc93f099bfb880dea8f17976fab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
3fcdc85bdea1133b4ff408b1d40156d2

SHA1
a9b491423b4a4d0aedd9fb874fb6913e73634a30

SHA256
d2889aac5e55010f0ff0e48bc6180f2968cfdc52067abacb2f6af8fcfdfbad1e

SHA512
42865a4a4c06833e2aff223f3e778d82160c185f49311a069f2756321c1895a5d09eec300b75e1d0ba6e44cedabe5474ff8b529f71d24dbf95a3985ff7e357fa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
631KB

MD5
4cdbe7c95fbbd57373bb2f320961408a

SHA1
2ebf08e2c7aa5dd6dfbb02ade656e1cf5966cfb7

SHA256
f8bd71493b84500953ae46732fef1cd7f6207213eb63f957270cd917c391e41d

SHA512
f26b4cf920f354528e3cb4967c7709b22223f1c591d091bc4f682cb0faefdc627009703c805d58d563d43b9b137eb49a182bb05811569bbf2ccd3178993058fa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
7b63c347a2a43bd338aee30bd633a0d4

SHA1
83373005b4ad321cf86710f6038ea18314c37411

SHA256
80dbf5aae94df24d26858e5f98c2172e083b724ef1b6e2b1e0c3f0b0e2a0b9c6

SHA512
e3ec84f3f5b7d204ced080a867bfbd639908be213e6384b9fce7980e50c2c02e5805efd63227ef6db5d11abe7ec7c63eff8397661a5b344c025859610a361817

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
3302a01e6cb604570fb49b689f46093f

SHA1
818538751952c2523c5dc8658c70ad434df6b208

SHA256
a38b20f598e1dab02047d85ae801026eb9da3fafb9bb398b1c20defae22d8f30

SHA512
f46634bcd3ccb9d526710f39198e1b50068c86fbea9ef464806c1e6a3a4b6b03e727bad0b235ec1b7a44f7e33397a480e3d10cb93e4c0db70c78fafc9711ad49

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
0f95220fd1aa529dbd0cf5fdbe603f88

SHA1
6b550f4bd894b7bfbcd27c32eb79e1a22ccc6476

SHA256
7b8737656d91ddbe4ae0894cb8f036d3be2626f7dbf68a3adc3e7a7e3e2582a8

SHA512
0734abd0e9671721d1b5e5583de247125b8069c8ae396dfc270f3eece58038471934a582b1690637448944c60d5f85f67865060daf0ebf6eb34e58c91f4c0934

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
ec5cdfbe3199901d25e835b82cd830ac

SHA1
3dff0d6007259a4ff3d06fb08f1537655712b082

SHA256
6f5340462dd52bbbd7becf79e50ed2de3cd98107100e782d151fd6b9cc49ad37

SHA512
94b2f4b129e4e993f61dd24b1686c36cbf3414a2e7cce94ff98a48f50af59465737f23ff94d844f6b2ffeb1252b84a1bfb8137e27764b824bb69f721e977e8f6

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
884195a68bc811e5667839bef540b1c0

SHA1
b9f7dfb8c046a88392d3cbd2ca87046e5c024dc2

SHA256
a245ce06a3da1286bf071743b0a0e0c71b91aa417912d8f4155ae1d2af6f93f0

SHA512
2410ca5e117c7c8e321c6aefead2c7fc118655a1aaab3f8f97eb92fa6271e2a175067a18660d17a7ec348974ceedd77f93864999fd41ed1e6e61818adbd67834

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
25f4437e9db47d9e84e73bbba51529f3

SHA1
2d804c63d08276cf19677fbe4f9d22df6f3a0bbb

SHA256
f3e4c9f21d598293dee85ded2902724f5a0b54a319f20f1193e2d311ff1242ec

SHA512
5d7e7b672b51a16671089b6bffc8fcada11a781a2397f2f798a462d1903f59753cbc52a39e590cba751bafaf968ff5cfdfd14369cc5ff4ab979dc8b2ec9790de

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
435354cc8852ddd47ed3480fd34638b2

SHA1
24f78bf12e443e82640fda90e9c2838fc38324c8

SHA256
5d05a1d730a90b402dcacd26fc94efaddfccde48fad09987aeb22345a9e99434

SHA512
da1aaf1d798d4932b55953554599f61525c37ce92405ddb9cee6bfc7d960dd7f90c7c2d08c4aa97ee5d54906fd94046c2d29bd9cc0dca5da065d6fab620bebe6

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
417c65246a83eb2bccfa14006634d2d6

SHA1
f34427ffee6f34bbbc99557feb11444682cb6310

SHA256
951348e0f0a2fd335d0e886eb56c86a42f1f4b20be0c1e7f025e82cd835a8c7e

SHA512
3e15749e48afa44267c2775424bd4d4a6a61d8528c79f944d3bf137437ffed0cc8fd0318486b04ef7f78fc527f3acb21f693fd7a55d81615697f72e3b640275f

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
9586e4d989f0a39b00c2cbb2d8b8cf0d

SHA1
b6c59395d8b9fe38a6b4a3bec76f384a7d14c56c

SHA256
71881cc7aec31203985ca570601794c6a6da20bc608609035ab8e4fad5d7af0a

SHA512
41f3991bcae1de532e8e6dbee6ba35b424e918499e56fe3972dd5d4388c2216cc585c701c052ce21b4c2a05339250947f59c365c96549e43fe9332e8f1d454d2

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP455A.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4E4F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP584D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
memory/764-177-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/764-96-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/764-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/764-234-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/880-367-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/880-286-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/880-392-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/880-274-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/880-409-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/908-381-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/908-434-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/908-435-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/908-416-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/908-386-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/964-236-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/964-243-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/964-248-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/964-251-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/964-235-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1164-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1164-170-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1164-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1164-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1164-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1268-297-0x0000000074308000-0x000000007431D000-memory.dmp

Filesize
84KB

Download
memory/1268-424-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1268-287-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1268-268-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1268-471-0x0000000074308000-0x000000007431D000-memory.dmp

Filesize
84KB

Download
memory/1268-288-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1492-180-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1492-187-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1492-252-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1492-181-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1492-186-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1552-231-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1552-224-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/1552-229-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/1552-285-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1784-478-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1784-436-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/1784-431-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1784-477-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/1784-426-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1904-502-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-516-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1904-515-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-486-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1904-491-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/1976-212-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1976-272-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1976-211-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1976-219-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2168-414-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2168-263-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2168-254-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2220-195-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2220-196-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2220-203-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2220-261-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2264-495-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-496-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-473-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2264-480-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-466-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-517-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-510-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/2300-534-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/2300-533-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-532-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-505-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2560-530-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/2708-223-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2708-89-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2708-57-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2708-56-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download