c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0

Analysis

max time kernel
100s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
Size

1.8MB
MD5

12c1979e05d9a59b71a3a59f2c07d270
SHA1

100997527e994f247991b2da3ab957509a73cc0d
SHA256

c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0
SHA512

5c2d64f12a147996d0969f696efccfc9abe4bfec2bef6a8f98687895c165d805dd5f4fc3981a9a8a180b4bfd07f8cb80507715f227fbe0e2f4fbce656c41cf26
SSDEEP

49152:fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAB+WTz7F0/MbvJ:fvbjVkjjCAzJJWX7FjbR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
464	Process not Found
3068	alg.exe
1472	aspnet_state.exe
1528	mscorsvw.exe
2124	mscorsvw.exe
2716	mscorsvw.exe
2504	mscorsvw.exe
3060	ehRecvr.exe
2860	ehsched.exe
2188	elevation_service.exe
2168	IEEtwCollector.exe
2660	dllhost.exe
2792	GROOVE.EXE
524	maintenanceservice.exe
1364	OSE.EXE
2288	OSPPSVC.EXE
2256	mscorsvw.exe
2044	mscorsvw.exe
2032	mscorsvw.exe
1012	mscorsvw.exe
2536	mscorsvw.exe
2908	mscorsvw.exe
1692	mscorsvw.exe
2764	mscorsvw.exe
1220	mscorsvw.exe
2752	mscorsvw.exe
1992	mscorsvw.exe
1892	mscorsvw.exe
756	mscorsvw.exe
2552	mscorsvw.exe
2200	mscorsvw.exe
2888	mscorsvw.exe
1676	mscorsvw.exe
2508	mscorsvw.exe
2260	mscorsvw.exe
1908	mscorsvw.exe
2264	mscorsvw.exe
2876	mscorsvw.exe
1956	mscorsvw.exe
2056	mscorsvw.exe
2640	mscorsvw.exe
2684	mscorsvw.exe
2460	msdtc.exe
2076	msiexec.exe
848	perfhost.exe
684	locator.exe
820	snmptrap.exe
432	vds.exe
2560	vssvc.exe
2900	wbengine.exe
2456	WmiApSrv.exe

Loads dropped DLL 13 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2076	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\271e006e9a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_fil.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_sl.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_da.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\GoogleUpdateBroker.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\GoogleUpdateOnDemand.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_mr.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_ar.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_id.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_zh-TW.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdate.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_am.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_zh-CN.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_sw.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_pl.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_en-GB.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51B8.tmp\goopdateres_ml.dll	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BF559AB6-68D5-4324-A303-9FE93CFD92E4}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BF559AB6-68D5-4324-A303-9FE93CFD92E4}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
288	ehRec.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1692	c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
Token: SeShutdownPrivilege	2716	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: 33	340	EhTray.exe
Token: SeIncBasePriorityPrivilege	340	EhTray.exe
Token: SeShutdownPrivilege	2716	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeDebugPrivilege	288	ehRec.exe
Token: SeShutdownPrivilege	2716	mscorsvw.exe
Token: SeShutdownPrivilege	2716	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: 33	340	EhTray.exe
Token: SeIncBasePriorityPrivilege	340	EhTray.exe
Token: SeDebugPrivilege	3068	alg.exe
Token: SeShutdownPrivilege	2716	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1472	aspnet_state.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeSecurityPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	2560	vssvc.exe
Token: SeRestorePrivilege	2560	vssvc.exe
Token: SeAuditPrivilege	2560	vssvc.exe
Token: SeBackupPrivilege	2900	wbengine.exe
Token: SeRestorePrivilege	2900	wbengine.exe
Token: SeSecurityPrivilege	2900	wbengine.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
340	EhTray.exe
340	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
340	EhTray.exe
340	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2256	2716	mscorsvw.exe	45
PID 2716 wrote to memory of 2256	2716	mscorsvw.exe	45
PID 2716 wrote to memory of 2256	2716	mscorsvw.exe	45
PID 2716 wrote to memory of 2256	2716	mscorsvw.exe	45
PID 2716 wrote to memory of 2044	2716	mscorsvw.exe	48
PID 2716 wrote to memory of 2044	2716	mscorsvw.exe	48
PID 2716 wrote to memory of 2044	2716	mscorsvw.exe	48
PID 2716 wrote to memory of 2044	2716	mscorsvw.exe	48
PID 2716 wrote to memory of 2032	2716	mscorsvw.exe	49
PID 2716 wrote to memory of 2032	2716	mscorsvw.exe	49
PID 2716 wrote to memory of 2032	2716	mscorsvw.exe	49
PID 2716 wrote to memory of 2032	2716	mscorsvw.exe	49
PID 2716 wrote to memory of 1012	2716	mscorsvw.exe	50
PID 2716 wrote to memory of 1012	2716	mscorsvw.exe	50
PID 2716 wrote to memory of 1012	2716	mscorsvw.exe	50
PID 2716 wrote to memory of 1012	2716	mscorsvw.exe	50
PID 2716 wrote to memory of 2536	2716	mscorsvw.exe	51
PID 2716 wrote to memory of 2536	2716	mscorsvw.exe	51
PID 2716 wrote to memory of 2536	2716	mscorsvw.exe	51
PID 2716 wrote to memory of 2536	2716	mscorsvw.exe	51
PID 2716 wrote to memory of 2908	2716	mscorsvw.exe	52
PID 2716 wrote to memory of 2908	2716	mscorsvw.exe	52
PID 2716 wrote to memory of 2908	2716	mscorsvw.exe	52
PID 2716 wrote to memory of 2908	2716	mscorsvw.exe	52
PID 2716 wrote to memory of 1692	2716	mscorsvw.exe	53
PID 2716 wrote to memory of 1692	2716	mscorsvw.exe	53
PID 2716 wrote to memory of 1692	2716	mscorsvw.exe	53
PID 2716 wrote to memory of 1692	2716	mscorsvw.exe	53
PID 2716 wrote to memory of 2764	2716	mscorsvw.exe	54
PID 2716 wrote to memory of 2764	2716	mscorsvw.exe	54
PID 2716 wrote to memory of 2764	2716	mscorsvw.exe	54
PID 2716 wrote to memory of 2764	2716	mscorsvw.exe	54
PID 2716 wrote to memory of 1220	2716	mscorsvw.exe	55
PID 2716 wrote to memory of 1220	2716	mscorsvw.exe	55
PID 2716 wrote to memory of 1220	2716	mscorsvw.exe	55
PID 2716 wrote to memory of 1220	2716	mscorsvw.exe	55
PID 2716 wrote to memory of 2752	2716	mscorsvw.exe	56
PID 2716 wrote to memory of 2752	2716	mscorsvw.exe	56
PID 2716 wrote to memory of 2752	2716	mscorsvw.exe	56
PID 2716 wrote to memory of 2752	2716	mscorsvw.exe	56
PID 2716 wrote to memory of 1992	2716	mscorsvw.exe	57
PID 2716 wrote to memory of 1992	2716	mscorsvw.exe	57
PID 2716 wrote to memory of 1992	2716	mscorsvw.exe	57
PID 2716 wrote to memory of 1992	2716	mscorsvw.exe	57
PID 2716 wrote to memory of 1892	2716	mscorsvw.exe	58
PID 2716 wrote to memory of 1892	2716	mscorsvw.exe	58
PID 2716 wrote to memory of 1892	2716	mscorsvw.exe	58
PID 2716 wrote to memory of 1892	2716	mscorsvw.exe	58
PID 2716 wrote to memory of 756	2716	mscorsvw.exe	59
PID 2716 wrote to memory of 756	2716	mscorsvw.exe	59
PID 2716 wrote to memory of 756	2716	mscorsvw.exe	59
PID 2716 wrote to memory of 756	2716	mscorsvw.exe	59
PID 2716 wrote to memory of 2552	2716	mscorsvw.exe	60
PID 2716 wrote to memory of 2552	2716	mscorsvw.exe	60
PID 2716 wrote to memory of 2552	2716	mscorsvw.exe	60
PID 2716 wrote to memory of 2552	2716	mscorsvw.exe	60
PID 2716 wrote to memory of 2200	2716	mscorsvw.exe	61
PID 2716 wrote to memory of 2200	2716	mscorsvw.exe	61
PID 2716 wrote to memory of 2200	2716	mscorsvw.exe	61
PID 2716 wrote to memory of 2200	2716	mscorsvw.exe	61
PID 2716 wrote to memory of 2888	2716	mscorsvw.exe	62
PID 2716 wrote to memory of 2888	2716	mscorsvw.exe	62
PID 2716 wrote to memory of 2888	2716	mscorsvw.exe	62
PID 2716 wrote to memory of 2888	2716	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe
"C:\Users\Admin\AppData\Local\Temp\c99b64c1614f465ce7ad18ea6fb0785201d83847b7abc68233047391c74258c0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1528

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 204 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 204 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 204 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 24c -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 290 -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 204 -NGENProcess 1d8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a4 -NGENProcess 1d8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 204 -NGENProcess 1d8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3060

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:340

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2660

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2792

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:524

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1364

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2288

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:848

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2500

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:844
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ecef56b3a7dc8d603cdaba0857e89233

SHA1
51429ffbd3425fe1a6e026615c6fc894f61c69cb

SHA256
c031afa6ff92bc38f5ddc642f163bacbe475a38a5002e480d03824fb48ac459b

SHA512
ee07be505d08c23b639a4b1d180cc5481b006783d68576e54c257dd4a39f5ea2a3b1a863754466eab3294a1f52c5d9446bad39deb6afc9f95fc743308c9502ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
768KB

MD5
902f61f9f338bf9460043f197e65f8ed

SHA1
ee57952ef5ee611b2a5736bb0d629f95bee8b5a7

SHA256
2f710aabb9fa86940d488ba8d7305970870629191ffddfcf3f184344ba7a9970

SHA512
3024605124eaa1be8a33efebc7a8475d6e4c6f6f443cbb7fa3eccec7cb806e1eed36d2a91638df4aaf984370ed331d9620593b47c9c9fd8eb69dc6e0d640ac05

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
623e99bbd182270ae67cd5c44239dc67

SHA1
ce7d76d9bb447ab80c30f94acfef8708f2337c94

SHA256
777c5b275e1a08d13d30d014308b08e2f5c88e7da2e4a56c9e983cb191d927a1

SHA512
3c6a2791274a82c11833152b33d5e07f31ecc6227776b0e50b7e375499282ffc41a88c5d590f331d5e57ed92404fe7a3fb08916ce4b0e419b07f5012f7fb3a05

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
42KB

MD5
ecf769982572ba27622bacfe485909ac

SHA1
f71a0c8729528182260b46632c521ade79be5ff3

SHA256
dc8038db890385f599a19a5b005e3950e5f2b59ea29e72890c47cf74e6644655

SHA512
78e940f32b3e0b2f8a472b4989100270183ee7b743fbef70f95af9d3e813764bcdd51bbc0d2cfdde06f8421e27d4c2cc54afc68a67be5fb48826166103e30401

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.9MB

MD5
29cf7d60f8204271138e72597dc48332

SHA1
d281b8d67b0b495f6b187ef95c4c171a1ba7bc9f

SHA256
38620a1b8e25eea20fd215bde1934033404c46ea255473533b74b3639863f0ca

SHA512
e1eac5e86cad7255b70236cfa456802710aaf2914e619766c4bb8dc5de7d05598dd09859c947009b719ada8d274fc5f1ce08e4a5e9ad0f86398f4d76eb2c85f7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
44e0a08e28b5b4a5ca1f48f9915e05c3

SHA1
71621f693010b2909abc56053d1fca46e9e48b0d

SHA256
a95ea36beb765adc5b411ea8f1669f54e0de409f3dba907665c8bb609449fd46

SHA512
3cdc572076e667043494c3c5ebcad397d16195a09c07af842b51a62617cb0f2589e4b3731f078d25331e0d387ded054d8ee173353f399ef5aae7c879b851105b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
628819ee1c35e811a1495ad0aca89b10

SHA1
7ba112fa205eb2edd69784251ff4b1f318ed3266

SHA256
8992109c8d82e374dc43cc71db7e4abe1814d54fa21e3424913d01f627d726ce

SHA512
b1d14a4843e6ff4e1cbe0b28743b1ce4f30c6018bde6f112aa02bb26367ca4d79e982260ee3d3b54950c26d3231e4f094d64e2605c1d70313cbee1504d9931a0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
89e0d6f156f8161b0b02848bffe0a9d6

SHA1
ffe3cff89cc187040aaa7e68e86b74d24144aa56

SHA256
4dd8bbec8a7202080d7f47cc02952e8c3e9d2237f5ed514821511569194453da

SHA512
8c6cca6ee3cd65d821e5e5229e4c20c7939a594edc2004f6a45bf8ef04adde7e4448db112983900c1b9d205f19f452000cc6a723e20ba030cb6cef6ca6615047

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
024f4bc38b646f3da6c62366b3fd746e

SHA1
b0a8fc907fbce96ff9f4c1e4a2d48087f65630b1

SHA256
da6f54cb137275e874119cc5a82e51a4d49252d67949d10be1be6064dd1599a5

SHA512
4e622c03dc02994601a5b1b6a8d3b6595486293e88e3e9f8c07b0b8d771db52ddfae89ca1360dd3e202d15cde4e8c35f0c403212ff4325b597a34202c838fc32

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
a1ab878adc846d9d314b5d14bfde6630

SHA1
b626862798e460b8a7b581fb48cd8e8a6b913272

SHA256
4ebbb2e92e2f3d7a848d05e7044ec79c49efdc6060611a47048b1efe6cac6c6d

SHA512
f3e3f66f6d8c0393a29adc02a9c4dc420f936d192b55a5a43560bf1031b6879ec5a3823e6a3e7efaae8d32e11761c91259aed46b1b1bc2a460d6e3813d5f3349

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
8b2672260d005d0c504b278ae7a014fd

SHA1
e19073793671d4ddd1c2579de9358f37a0a104d1

SHA256
22e7b200358056f6eb90356c18696256287dcd95d9a626459526b859418ac96a

SHA512
a26c50661dc3ef70d496137395569f8b12971e6cdbbb264443caf8e733691f808af40dcff68dd7052fccb31f489b16e35c6f78056f45325a919c07110a9cdeaa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
254KB

MD5
2d697e995b649e7f584cccd0d0926a75

SHA1
94f97b67e11498599e3d0bb4db932dc5542e03de

SHA256
21d44c528c924d2a5914022fea6460c22d50f2bd3e333be4c51920400e5bdff6

SHA512
ce36bef5e57f322c94001e88abc09392e9e8ac28c777ba6a1a140e466d232dadfa7c5fb5499774b099e4cab2b1019f2e56240e5a5c9c6f3170dafae62b14658d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
8b67b0777a76fc4c5aeb14dbb2a7480f

SHA1
6672f580c8e558ac7925a445204aee5e384d6a88

SHA256
12d9c471508ec18328dd84574d4a38881b9e870c6db5d9c10a9f2ddcdc597bbb

SHA512
73af4432c3e97261cad572b1bfaf45ef7452d98e04df3e7e700999b8298ff85e3cd601324cf8c9d5419797a2c45c0e656ec8c89092be401e2610e4d1317bc192

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
20362be6819e33857b8f01b8cdf5af87

SHA1
b8ea9afd7969d0a9b9e6c43c5a23f7ae38bf176c

SHA256
2461d785c126dffcbb12368336a233694fae7258fb7835e231d9ae10eb4cb0a6

SHA512
a26b044c911afcf57cbefd0c5a919388e510f32cb8d5d31f78e10bb60c7db3cab5180576db07acb83ea1a73991653657f41b41f2afb2fbb90e2c7618c0f180c8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
7666c552c7c6c56314d62f60ae5583e8

SHA1
e00acb8f52b1573f1847b05b6b00aacce08e2d5e

SHA256
5bbd3a78b47a6c1ab642b35e5f0a3739a9a679081f7bd77e622dea18b2494d61

SHA512
26053fcd9aca20f6c7aa893ec812f29569290b87e0084ef18bb4fc5ef649a2fdaba839a8454f45e61d7940bb9a272d6cd1ce7e3cac3c25458911011d6fffb7cb

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
3a7fca7b24003b9ab1d365ccb134e76f

SHA1
cb3777f985960b5f5edd9d86566ca849abb8d993

SHA256
0742f1507a99195da3c8f7db23c8f2e4571de6506fe8fc51932907ca10227d26

SHA512
e45784de1a36a6789a88e3c3947e83290300f1d85a74456942da7ddd68bb3681098427b44f2f4fc4b9a1814e94150fc3a73b912b1f692474c26fc10446a5280b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
bb404e1f504eb32cc03a114de3417a73

SHA1
5f86cb7ddb311204df245d79507d036115956512

SHA256
fe5ec71a08e9b23c36ae2f4ba50a004d65cd8da8704b34af032add149793bb8c

SHA512
ea9238f51d9d1e810063cb92031e0748caf916b26932da27127d9383f0604ea48357ee58974ab7393188c56c1a052f15e16909843e6ee4024f2eeb579837e12a

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
62KB

MD5
95e303f6d9725ad717e8da0d4cd0222b

SHA1
3cbb1c581b44d8eb61b126ec53abd2788bf9aebb

SHA256
bf72517030e05a93f1ecfc770e0f39d0a5905147352d7bfbd4f1a3bba2ebec5a

SHA512
b597d1a45a9cab89de6df3a6cdef2f281f5616ccb981ec4e8b2376bf378b48d8f2c638677c6d2f4c5c4e4142e465c0279a89d993fb512fecd78067e4cd5c7b1a

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
128KB

MD5
46257dff09e49b04dc2239c9193c79fb

SHA1
35dd02d4a42e9e00489f960043763a7d3cbc78d5

SHA256
edc16688297abdf3edb66cef43d5e460312ea13ff69f2fbdee1d9ad20cdded95

SHA512
10a405ef008c41236f5a9738aab629939ef287eed82575ae38849d629d6ddd11d942c5a8df76631256141c44dd279354bdbe4a5b8adfc4d49e6a9018db074bc0

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
391KB

MD5
c90b1f85dbae6e2d210d238dc7b99f1d

SHA1
cbe5465f3202fcdefa36dceb243389216244db96

SHA256
4da6f32af810dfa6ada3fffd9ca7ccb5312be21f6a73625b23e20094816c39be

SHA512
3aa07a5b518273f8cabb01a1e55f813d0b67fb21fd5a07be36f046a6162a219b5a25557380ab1a876e7b26a6e52f3ecc5591e3ac59f4c1bf3098aeff527b487d

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
62KB

MD5
175520b7e92239f61a0053a7cef4d147

SHA1
7f17a2df336e503e8d99256fa9c251d8e961b651

SHA256
d70cddffcd807a3a885c44de3a3a035ac988b92d657dabde5219d49ece5e9cf9

SHA512
3db9e58c4490ba380b412ee63cef84a2ec99eb953b98790756ed8e6db991f26fecec77ae075253e661c28041f2784c2667ccb2211617a2082a274616046ec2a2

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
156e72e809be1a5795dcb31c3ab9874d

SHA1
7a67734af5afdc0e7e1fc9036a1b3a77c4c29d04

SHA256
85ea45266c453c6f5ddba2998112b92b157563911ca2f4c94343684d11e99412

SHA512
b5eb7a1c4611f5189ff4b6bb1dd30dae9cfdb458d7dbe3faac763408ec03761f6012dcd2bc4e9dd60140e103dc7b1dc8f4fcc24c48c5085fdd82dbcfcfc7d8b6

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
42a3613adfd51f073eb425e232bd17de

SHA1
6560494f5a228949ce30b2bc8ee21f35187e784f

SHA256
638e6fbfdf0bd91449e156b6a30ccc7134fa3fe16ea30079a8130f381b92b872

SHA512
866e7f33e48dac4002937af1a0a800e63d8fa3f61893311587b10bb003190cb1166ebb86c70b9e50ff2c831554bdde78e0a92ef13c1708b15e717eadc08b952f

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
b1b3759ff371a62723df9eb2d586dce1

SHA1
b032a271e7d9968351c86d532ed8f8a453a5bb5e

SHA256
d9e78b01385593bdf63a83223fd48cca472cfe09c0eba3a357020a45f2facd1d

SHA512
9d2e00a8a3f430a1d9d16b42c1b06e75111789bcf5ca282094f286ef7dc97e01ac4b1ebb3cb3e2408d0795becbbb72b39746ef7c27dd15b476fc49fadb7102b3

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
a0bbc6bedc4f123531281616ffa9379e

SHA1
588f6bfc0a6f7f2256d9b8915a257394f0325f79

SHA256
b01f681a6a266c40b596bc305d94fdb1225ae92d48523a2c949bb1bac0ec4a72

SHA512
60502d6fd6382fac1243256d657fab361c927f3994d084edb50f86ed6c56d24f694913ae7ed43bb717c31fedac64d402d846daceaaf275160ac7546ae7a4f61f

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
8705549aeb6aa5d4f7bd17b46abdd373

SHA1
a43ba7e52e0f00463ad9864a72ed1a52ce667868

SHA256
1f9bd3b0cd2c72de5e20507fd217033e28750fb2e07c52b62ac57b6a8e2b2a48

SHA512
c41e0b7dca7c8fb80fa630f75c43dd1d97328b2873c5fccb3961055715cbcf0a3281d812b5641115dfa6f0d3360f299218dfc7cd80510cb1f33854d00e068a6e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f2d8de07539b2f66d2f4ed2bf56b192d

SHA1
34de5aa944f14d5815242c60fa360aa1326a6570

SHA256
3502af02c2476f09b78248887513e1005cb44169e4eaf4c54e249ef6dea5dda4

SHA512
9e2f43e1fb9ac63b6fc18a2c6f834ba54c773c723f148373c345bcc94a0de0032ddd2bec3c26c48bb556fd61b4b11ee559f5d1cd3bbf87f8f99737e0afe356af

Download Submit
\Windows\ehome\ehsched.exe

Filesize
576KB

MD5
296b3d02cc342472e3ae740f45fe1a71

SHA1
243d356159b2a1d3a6390e5bd06f6fd70a6a3a28

SHA256
061a8986c8055a769a105bed130cc24101a5943e20454e8841afc5fde269a4f8

SHA512
c8fec23f88dd1dd7221446f0fcec4208543a327cba6ef437bdf8df8081566f201ffb49898a4a9625d9d998b2e48007727af8c74561163ebf64f4f98b273d8192

Download Submit
memory/288-326-0x000007FEF4FE0000-0x000007FEF597D000-memory.dmp

Filesize
9.6MB

Download
memory/288-321-0x000007FEF4FE0000-0x000007FEF597D000-memory.dmp

Filesize
9.6MB

Download
memory/288-367-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/288-381-0x000007FEF4FE0000-0x000007FEF597D000-memory.dmp

Filesize
9.6MB

Download
memory/288-393-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/288-228-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/288-396-0x000007FEF4FE0000-0x000007FEF597D000-memory.dmp

Filesize
9.6MB

Download
memory/288-483-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/288-556-0x000007FEF4FE0000-0x000007FEF597D000-memory.dmp

Filesize
9.6MB

Download
memory/524-345-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/524-353-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/524-359-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/524-360-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1364-373-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/1364-362-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1364-554-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1472-102-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1472-182-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1472-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1472-96-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1528-142-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1528-107-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1528-106-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1528-113-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1692-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1692-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1692-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1692-306-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1692-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1692-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2124-123-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2124-122-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2124-131-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2124-162-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2168-322-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2168-391-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2168-568-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2168-227-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2188-371-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2188-221-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2188-213-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2256-389-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2288-409-0x00000000749C8000-0x00000000749DD000-memory.dmp

Filesize
84KB

Download
memory/2288-385-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2288-395-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2288-397-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2504-166-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2504-173-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2504-324-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2504-165-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2660-323-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2660-327-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2716-151-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2716-145-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2716-219-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2716-152-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2716-146-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2792-408-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2792-334-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2792-337-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/2860-563-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2860-196-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2860-206-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2860-351-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2860-562-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3060-183-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/3060-184-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-364-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3060-190-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/3060-208-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3060-336-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-191-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/3068-164-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3068-41-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/3068-15-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3068-13-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download