bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 14:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
Size

1.8MB
MD5

a66c02b1c88121404be6f6a0c12fc908
SHA1

8d25f259dce828de5c28a06aa2c1c7c036b32b55
SHA256

bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f
SHA512

3a67f06b0d01c8b66c9378ef9184e98c8ac01c2a6060b8ce60561bacebc16b32c8884e169ca0fabe629817028ca23b59ea895ca10b0faf36790dcc2d74ea0136
SSDEEP

49152:cKJ0WR7AFPyyiSruXKpk3WFDL9zxnSdkQ/qoLEw:cKlBAFPydSS6W6X9lnIqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2516	alg.exe
1416	aspnet_state.exe
1692	mscorsvw.exe
2500	mscorsvw.exe
812	mscorsvw.exe
3068	elevation_service.exe
1924	GROOVE.EXE
2324	maintenanceservice.exe
1596	OSE.EXE
2680	OSPPSVC.EXE
2528	mscorsvw.exe
2956	mscorsvw.exe
2660	mscorsvw.exe
1092	mscorsvw.exe
1904	mscorsvw.exe
1608	mscorsvw.exe
2408	mscorsvw.exe
1296	mscorsvw.exe
2572	mscorsvw.exe
2720	mscorsvw.exe
2388	mscorsvw.exe
2468	mscorsvw.exe
1800	mscorsvw.exe
2012	mscorsvw.exe
2784	mscorsvw.exe
1092	mscorsvw.exe
868	mscorsvw.exe
2120	mscorsvw.exe
1648	mscorsvw.exe
1456	mscorsvw.exe
300	mscorsvw.exe
2068	mscorsvw.exe
1700	mscorsvw.exe
2588	mscorsvw.exe
2372	mscorsvw.exe
2804	mscorsvw.exe
2596	dllhost.exe
1096	ehRecvr.exe
1236	ehsched.exe
2504	IEEtwCollector.exe
1792	msdtc.exe
2260	msiexec.exe
3044	perfhost.exe
2348	locator.exe
2332	snmptrap.exe
912	vds.exe
1608	vssvc.exe
2960	wbengine.exe
1720	WmiApSrv.exe
1632	wmpnetwk.exe
864	SearchIndexer.exe
1192	mscorsvw.exe
1012	mscorsvw.exe
2432	mscorsvw.exe
2172	mscorsvw.exe
284	mscorsvw.exe
2888	mscorsvw.exe
1980	mscorsvw.exe
2868	mscorsvw.exe
2536	mscorsvw.exe
1752	mscorsvw.exe
2524	mscorsvw.exe
2868	mscorsvw.exe

Loads dropped DLL 27 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2260	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
728	Process not Found
284	mscorsvw.exe
284	mscorsvw.exe
1980	mscorsvw.exe
1980	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
2524	mscorsvw.exe
2524	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe
756	mscorsvw.exe
756	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e6b0a4e01a2b445d.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\goopdateres_lt.dll	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\goopdateres_ur.dll	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\goopdateres_ru.dll	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\GoogleUpdateSetup.exe	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\goopdateres_hr.dll	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\goopdateres_ko.dll	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\GoogleUpdateOnDemand.exe	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\goopdateres_sw.dll	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\goopdateres_cs.dll	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\GoogleCrashHandler64.exe	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM669F.tmp\goopdateres_fi.dll	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6632.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6AE3.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP79C2.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP70CD.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A8207ED3-6A8D-4D07-B77D-74A81E4999A7}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0e23187e976da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{654813CC-401B-4105-BA0E-09D83BEF68CE}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000090975587e976da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b026d189e976da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2888	ehRec.exe
1416	aspnet_state.exe
1416	aspnet_state.exe
1416	aspnet_state.exe
1416	aspnet_state.exe
1416	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2684	bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeDebugPrivilege	2516	alg.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1416	aspnet_state.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: 33	1912	EhTray.exe
Token: SeIncBasePriorityPrivilege	1912	EhTray.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeSecurityPrivilege	2260	msiexec.exe
Token: SeDebugPrivilege	2888	ehRec.exe
Token: SeBackupPrivilege	1608	vssvc.exe
Token: SeRestorePrivilege	1608	vssvc.exe
Token: SeAuditPrivilege	1608	vssvc.exe
Token: SeBackupPrivilege	2960	wbengine.exe
Token: SeRestorePrivilege	2960	wbengine.exe
Token: SeSecurityPrivilege	2960	wbengine.exe
Token: 33	1912	EhTray.exe
Token: SeIncBasePriorityPrivilege	1912	EhTray.exe
Token: SeDebugPrivilege	1416	aspnet_state.exe
Token: 33	1632	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1632	wmpnetwk.exe
Token: SeManageVolumePrivilege	864	SearchIndexer.exe
Token: 33	864	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	864	SearchIndexer.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe
Token: SeShutdownPrivilege	2500	mscorsvw.exe
Token: SeShutdownPrivilege	812	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1912	EhTray.exe
1912	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1912	EhTray.exe
1912	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1392	SearchProtocolHost.exe
1392	SearchProtocolHost.exe
1392	SearchProtocolHost.exe
1392	SearchProtocolHost.exe
1392	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2528	2500	mscorsvw.exe	38
PID 2500 wrote to memory of 2528	2500	mscorsvw.exe	38
PID 2500 wrote to memory of 2528	2500	mscorsvw.exe	38
PID 2500 wrote to memory of 2528	2500	mscorsvw.exe	38
PID 2500 wrote to memory of 2956	2500	mscorsvw.exe	39
PID 2500 wrote to memory of 2956	2500	mscorsvw.exe	39
PID 2500 wrote to memory of 2956	2500	mscorsvw.exe	39
PID 2500 wrote to memory of 2956	2500	mscorsvw.exe	39
PID 2500 wrote to memory of 2660	2500	mscorsvw.exe	42
PID 2500 wrote to memory of 2660	2500	mscorsvw.exe	42
PID 2500 wrote to memory of 2660	2500	mscorsvw.exe	42
PID 2500 wrote to memory of 2660	2500	mscorsvw.exe	42
PID 2500 wrote to memory of 1092	2500	mscorsvw.exe	43
PID 2500 wrote to memory of 1092	2500	mscorsvw.exe	43
PID 2500 wrote to memory of 1092	2500	mscorsvw.exe	43
PID 2500 wrote to memory of 1092	2500	mscorsvw.exe	43
PID 2500 wrote to memory of 1904	2500	mscorsvw.exe	44
PID 2500 wrote to memory of 1904	2500	mscorsvw.exe	44
PID 2500 wrote to memory of 1904	2500	mscorsvw.exe	44
PID 2500 wrote to memory of 1904	2500	mscorsvw.exe	44
PID 2500 wrote to memory of 1608	2500	mscorsvw.exe	45
PID 2500 wrote to memory of 1608	2500	mscorsvw.exe	45
PID 2500 wrote to memory of 1608	2500	mscorsvw.exe	45
PID 2500 wrote to memory of 1608	2500	mscorsvw.exe	45
PID 2500 wrote to memory of 2408	2500	mscorsvw.exe	46
PID 2500 wrote to memory of 2408	2500	mscorsvw.exe	46
PID 2500 wrote to memory of 2408	2500	mscorsvw.exe	46
PID 2500 wrote to memory of 2408	2500	mscorsvw.exe	46
PID 2500 wrote to memory of 1296	2500	mscorsvw.exe	47
PID 2500 wrote to memory of 1296	2500	mscorsvw.exe	47
PID 2500 wrote to memory of 1296	2500	mscorsvw.exe	47
PID 2500 wrote to memory of 1296	2500	mscorsvw.exe	47
PID 2500 wrote to memory of 2572	2500	mscorsvw.exe	48
PID 2500 wrote to memory of 2572	2500	mscorsvw.exe	48
PID 2500 wrote to memory of 2572	2500	mscorsvw.exe	48
PID 2500 wrote to memory of 2572	2500	mscorsvw.exe	48
PID 2500 wrote to memory of 2720	2500	mscorsvw.exe	49
PID 2500 wrote to memory of 2720	2500	mscorsvw.exe	49
PID 2500 wrote to memory of 2720	2500	mscorsvw.exe	49
PID 2500 wrote to memory of 2720	2500	mscorsvw.exe	49
PID 2500 wrote to memory of 2388	2500	mscorsvw.exe	50
PID 2500 wrote to memory of 2388	2500	mscorsvw.exe	50
PID 2500 wrote to memory of 2388	2500	mscorsvw.exe	50
PID 2500 wrote to memory of 2388	2500	mscorsvw.exe	50
PID 2500 wrote to memory of 2468	2500	mscorsvw.exe	51
PID 2500 wrote to memory of 2468	2500	mscorsvw.exe	51
PID 2500 wrote to memory of 2468	2500	mscorsvw.exe	51
PID 2500 wrote to memory of 2468	2500	mscorsvw.exe	51
PID 2500 wrote to memory of 1800	2500	mscorsvw.exe	52
PID 2500 wrote to memory of 1800	2500	mscorsvw.exe	52
PID 2500 wrote to memory of 1800	2500	mscorsvw.exe	52
PID 2500 wrote to memory of 1800	2500	mscorsvw.exe	52
PID 2500 wrote to memory of 2012	2500	mscorsvw.exe	53
PID 2500 wrote to memory of 2012	2500	mscorsvw.exe	53
PID 2500 wrote to memory of 2012	2500	mscorsvw.exe	53
PID 2500 wrote to memory of 2012	2500	mscorsvw.exe	53
PID 2500 wrote to memory of 2784	2500	mscorsvw.exe	54
PID 2500 wrote to memory of 2784	2500	mscorsvw.exe	54
PID 2500 wrote to memory of 2784	2500	mscorsvw.exe	54
PID 2500 wrote to memory of 2784	2500	mscorsvw.exe	54
PID 2500 wrote to memory of 1092	2500	mscorsvw.exe	55
PID 2500 wrote to memory of 1092	2500	mscorsvw.exe	55
PID 2500 wrote to memory of 1092	2500	mscorsvw.exe	55
PID 2500 wrote to memory of 1092	2500	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcc3ae830a2e43ac3e5b2f098703c2144f1182caf2d8ba19fbb92fbebeffb9f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 238 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 264 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 24c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 274 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d4 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 28c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 290 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 24c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 24c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a4 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 248 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 280 -NGENProcess 218 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 280 -NGENProcess 1e4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 1cc -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1ec -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 284 -NGENProcess 1cc -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a4 -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 278 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a8 -NGENProcess 258 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 278 -NGENProcess 1ec -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 24c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 244 -NGENProcess 290 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a0 -NGENProcess 24c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 1c0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:1040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c0 -NGENProcess 154 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 154 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3068

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2324

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1596

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2680

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2804

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2596

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1096

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1912

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1792

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:864
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1650401615-1019878084-3673944445-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1650401615-1019878084-3673944445-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1672
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
4bb5bd35168fc1fe6d96855dca3593c9

SHA1
28db81416467fdb85cea0bc9ed365151597680f6

SHA256
51b4374db6480c568ec4d1f5c5ddaf328b2dc99b0ad2e453967d9485bcb416d3

SHA512
bc0692f56ac24d19ec3566da5180aea28289c3334de10fa31f217c11c0c446e93c5bbbf6fac7bec8821ecea8e434bee80c1f4b84eaa3437fe20ac3bc0b27af43

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
13.5MB

MD5
c3fc9c549f0a08e218cabe4a7e794adb

SHA1
1a5dde16425d104bb798129fa148f5b59faffe34

SHA256
62624e7a62373c669c67911efc062ead0a6219f4a39cb8dc166c072b3e305afb

SHA512
d2346a9b297ee7dfd00a4eff66cffa3ea498846602dc09465888f9e0b8c5bb4660865281de312d61efb8ae7eaba7a6e21c12f33081da0bdcf7b076df9287f8f9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
de1dbf707177672521b0a4af284a9e11

SHA1
2f24f046b5acee83f6f8e4a48bb575b753d2c7ef

SHA256
b1ca21520221d1dceaabc3e8ac5cb55590f49f47b5566d7321070185c863885d

SHA512
6bf1e7c1fa48939c0955b9ecbb0a56b6eb09bc861539081a7db84fb96be7f305557028abdc4a9241090d8e8c6fe24749c26cf94a6a679ab7d63ec79ba7351a8f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
604KB

MD5
4c431da666b4a630d4e8ce71c1547d42

SHA1
265384f9f0bb421dd344b4754ce5fe85f7ac92fd

SHA256
22ca0bc8fabd4ea0486e2e86b5a775b6fa8a03d330d7ad2a6761fa1e99d5e42a

SHA512
ada8d1af61eab33f7184f68ecb0c613b83fc23622d5c27c586aec91d73649a535e9c9e0ff48a54fd71992b5957a039c0add7c56a55696223cdb604a8df230506

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.5MB

MD5
30641f5ee407c7aeb2fc15f9d522a9a1

SHA1
863656b0f7a00d1c14409094be379d29ea37816a

SHA256
c8743592ba3d5df160297aa35332b3d22503ff589f2781274383770f722b8433

SHA512
e2f8dd35ec7d1a89b5315053064fe4c28b02b4f6ce62b8cb1bd7f7a3520e10cd13047a5f4613af82f27a33f0b172d1b75eeb013b8afe692562385be89b45d486

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a1e90de4283cd1d50cb93d65eb39b288

SHA1
5bd5ad71d518096b743523736ea9e6727e4ad414

SHA256
40f7f253bb5499450f1a71817a3d15f128aba2f4ad8a2e51764354397cab6a60

SHA512
69eec575a4bfd0b128f63d40f51b12a1d4168ab0b06fe0ce56cfeb2e87b7172eb9aa3d9b20925ea41b646e54d77599ebed4378def7b0d32c4c26e0db23221a69

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
2f2af7d0a3025f16916c1f0df9ff0e0c

SHA1
c9562b5653ed195155f6f6a4b55ffa9584b014f6

SHA256
1efd807fd47bba56de72010e23d3c5b589a4410f92d4df74bf0b90e29936aec4

SHA512
0ceefe2ebbf11fb79843e89b143e90b494202d413e4f3f88012826093d3eed30f853f0b0fcb332ae83f1a51f88c5049546b4987eb90de40f2bd70167e834d75b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6f3d997743f9babb939a91589213a7f4

SHA1
a6ac648adfafec399c50f2771397bbf9b9631b46

SHA256
2cd820382adccb9a4592e63c06734d47ddd6a5ae6da0a071c7952d95c6185a56

SHA512
3564a91e57fc61efa04cea82012e62f7d2ef23cf36c342fc390f84fd20af90018102eab3b920971824e0bfc41f8980629d46e20e920b472bd8f6bd3d1f138df5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
68c7e5b12ca14c42178e09b5eb4cef54

SHA1
5eca5b4a3178ea75e1ecb6db7eb556dbf5bffe8c

SHA256
fee0cc48436a7de39dcf2ff1abca59c8826fe5d98a76265f0208950670f0bd66

SHA512
36cab87da27375a4150bdb8a0e46ad886aaea5845ee9a1fa9a7a001aa53b586ca7a64f163d135561504c9e723bf818656d21a18da15e1ac6357f08fbe2aa1497

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
c4b037712fadf55c9414c240ddfc4fa4

SHA1
61d1728531be86645ec1348fda91b5d1b475e93f

SHA256
36767c5574b1f10b7025925ba0c36facf9c99f53590ff38719590feb298fa83e

SHA512
a6be8c52a8dac50157e8de79978729cd1206def287f61080b0d76d953fe5ae5e8ced31e9f9768d9b1cecdddd00f33a1d4d56b08f8086186012b1f8a11b0120c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
670d3ea004c5b8ad27b7d61c7d799ae5

SHA1
8c1f6d0a67e9bf176e24c39853ff90661f775e91

SHA256
1f8fa61a657d7132c9575d824570f8ef6574463c028a1fd723e266593f4f02f2

SHA512
71a5ad3f7132f2aee48acbea5dfaf2c830bd533aa9f9d793e15d67c1461d5797a9a04219665d50bf116f08c693203fbf9ed66294cbbad3ee785c2888c92db4db

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
76b2b68e3948486f1784e213752df264

SHA1
4d5403841a3a3c66ae93803b48b88488a481988c

SHA256
dd51454aa8b8a3929f9b942db135785afed845d92677b20c6cc2e4e054fcd59d

SHA512
5f217dc2ad156a858dd2181a31d31f8a40460b64f1dbb0e2fcd2cbb4d65b3e6f50d9267f5ac33f90d00bb69fb62dbd030584fc32a7306e0f1a7fb8bafe5222d8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
e5706152247812592a992b7d2e5a6976

SHA1
cc7bc40e08d21b785bdb7c4c3667ceac240e5f48

SHA256
535e5a5f54ac0f48422b3b44e9914a80fd70d71e8e0cf9452c9a1664bf3c14b0

SHA512
f1b17337572c2f8d4afac9026ee19e062d8dd6ad5d3ac8536d8d3aa98808f8045beb896ec0b63674e426aa19db99c8da0779a9547522a23cb38217c45b75bbdc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
459KB

MD5
f47c65453c68936e6719696cb4fe1101

SHA1
331b1749188486d954410fc8f1e93d41df5b8472

SHA256
349ab1becb03b82733b155053a8d85a67c06df3e3880703677e77dfae1721fc5

SHA512
836eb539c8de966f906b5cac7c9f408ea1d1b884bcbc3d3a116fbfb5ff02694bd9b8abcf9caa9f4a3ddbe88edebb2fe16610a773fa8b4e5c4af883aa1e80eaf5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
8b3ba8c1cbf18a623aecd81dab948281

SHA1
efb2e779d0a6a030d7d6836153e24f08b699045b

SHA256
523220e61f0b8907f86461bd73097fb7b0f4dca0ee4025181e7ae494c892aa86

SHA512
fa5546a3162dbcb4bcff4ac263fb7ab565edd2d29bdf0bdcf428929ffc59ccb4f304eca9d23d6683538e883ac94ac8a3c3cd854a78b28876d693270e5bfc89f1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
4a7167abf24acd2b134c656720d74322

SHA1
8d61967a1924c8e75410f4988ae34d5c67f59942

SHA256
257c59b703cc813665ebec48a7ade0dbc762d87d6ae20a2bc430db2eeec1081d

SHA512
9a88b5026c5617c3d7d052891db785408b3680716e970f088027254193fe7e5cd02053523eec7ac4efbfcf93d53d0feba9ac57e8b82b4f8faebe393a13bdea5c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
bd25f51870ac83536b704921a2e7a800

SHA1
e38496931358488f9063bf44379ebe9d9cee0eaa

SHA256
3b38f376d09ada04613a945c55f3b710d82f9400f5707d01b8d5ca824beda078

SHA512
5a223070d87307c11f1caddbaa8e3650eb1062fc1027becf741288e17b449b1da3fe9d77d797e0130d5c0595b4ce78c7f621c532cf2421160f4d409f0724dde1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
b04bfda8ad2235557db2a3089d7b0ab8

SHA1
c0426c4c44135d5a0db5ed2afd10ecd7c6e09516

SHA256
cb09e60e84cc687b8d53c7f89ceeb187d231bad2af021a49d9d107522a649206

SHA512
3cd933979d1fe5e412aff605d291893cfbbd88c4103e2d764ab71c69fdff1155116a8573cf90f593614bb54a1dab6c89cc53d83976c0b8a2badfa6bcbc25c190

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
b9c6dda41879df02c73c1fe795285a1d

SHA1
7104cbfe739e436f2df4c5babab867da7f6277dc

SHA256
8f5b0f1271a3d22cf4bf79bc726f371e3f204e79129185583dfa46e3e2e49381

SHA512
a227a907130c1c4cdd7fb03397268c11cae9958dc9fe7ed06ceedf8c1ed290cf3a93ac3715843ca9e99ac7da26dad6883ded4f51355e1f7be10310961ee995b1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
c98302ec03781b80c59a1235a4f1bf01

SHA1
7c98be19b748dde476163478b3737970dc325cf4

SHA256
3a3949e8b1913c45137b2235d677d7bc0fd3e76921914534fd9786a74581797d

SHA512
1d072710ae8db69949a319ae3c085cb7ae86b40ed1d2c5705f24d8662983f2f703eb07b5f07a824b172778a44372d8f1f595805b8c35d3105a15f2f40c6f1cfc

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
c728659f1485474daffeab9d13e7d7b5

SHA1
1bb35c8aa09729e98f27743b2ba6f6b3bd899c40

SHA256
fac5a1f74351d235fcedab1af735eb10e375741552393e4a022825e29af909c2

SHA512
f628d505d1402df46250f031089c5abd1ea9e5f2511f6e9fcb193b5d2d42fd5e49184ca0c88fd346a8c5140c38998b0e55f5bd71fb5b42e260c3fe71676af05a

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
2028df6d2623d1338b591f4542aeeafc

SHA1
c49b42109f7fd18e47c319a64da54c6dc8d2e5b8

SHA256
0c3cc650ce3092339a59061f15f50d7ba1b562ffb6857006dc0f8f1d1a7e975d

SHA512
3bf2866d401629e59e4147408894a8f183d79d0dcab1428fee66b3fce11822e9b0fdc415c96d7852bbf8dccbabeafc92ae6bf9a843d5cc9050b9299ec9399e8e

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
ef5230bcacb79d8f56fb7c95c7744968

SHA1
7de7d7bf2002ab40aabc0591d8f6c833297e019b

SHA256
c20168545435564b6692145956774cfaec9a2ec7d3555a10e45d408ab91ad06d

SHA512
f45d924af3f70c3400c6322c792c400021716bac6b0c9d438850309bf8e0f5851bc90b5d5e155961c20487baa83878bbb73ca7fee06c61831492258c22c9e200

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
00a0b9914f885d426d07596b1f04b3f7

SHA1
2cd4f29218ee02ef4cbb369d66dcbeb4869938e7

SHA256
81634fa65aab70522dd568664a1fb1fed8c7e434263fce8975002b6ba9ef4444

SHA512
2559ad157f8b7b299c4c98fb0a2b589ac61c18daff4526c653e9e6485da3975e2099a6526b4453d6abbb41859f517ab042cc7a9401b121a834970e139630f5c9

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
34dbae8dd53ed928992471cbd7dfc6d5

SHA1
b5df3f786c9f73620dce7bfc4824ffbb4f0f98c6

SHA256
a4872dc21086bb0833ff4cb44f061ba3f35ae529f6882de354a54e7ef44440c7

SHA512
490b1b5aa12dd583f343a16e3f9479f5248d2432490bae2055b6aa7f3c6cb2d25bf6a2dbdb1b5f0ded4d9761e6e4d759b6084b07fa9918a139492fd9a92ca8ce

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
ec327aed312dd92c9692bf5d5b6e8e85

SHA1
cd88e943ce65667961cb5eb288ec73ed6b25e0f0

SHA256
b5322c506caba6f27c4dba2054c7b3199f67cc4f046f0fb67f33b7bcff6346e7

SHA512
cc49bf1c55dd800d0b27c25debacde5f7f737aca4c6d9717412a9f948479e4e70a8d39ec140ee98b807dc7489f1c3bf35a125aa47864d28eb8fb828a9312fced

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e0d988c477062c6158e435f154470cf7

SHA1
3eef6773991ca28f7a352c47ea41c9fac7da1e5f

SHA256
8222675477d820d74e2ab92288f15d25db0973c68d1aa529a6a06e22b530e88c

SHA512
c96b1b719654e2b1b722ba1025f3eff6ae2b82e9a549d6a214065ad683772f078de53d4c79eaf3a09b819342ca533695475209177d02ca0683dd7f02745f545b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
70faf8b5d24b0da2bc12951decc70df8

SHA1
aafa332ff1d3b8a1b59fb20b0fa16abefc518bf2

SHA256
25ec62000606831a55755923a3876669bab40252925a4ff0f7277263c535f88a

SHA512
688ecdc0d13aea60893add43776e6764ce6ecc8a809e42a9014af2562f5da4d257430aca93de94503993cdc577091ae01ab6dd319c0a4f64af9c68106962ec5a

Download Submit
memory/812-219-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/812-212-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/812-285-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/812-213-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1092-497-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1092-499-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1092-498-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1296-548-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1296-557-0x0000000000AA0000-0x0000000000B06000-memory.dmp

Filesize
408KB

Download
memory/1416-234-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1416-87-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1416-96-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1416-103-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1596-275-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1596-337-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1596-282-0x00000000004E0000-0x0000000000546000-memory.dmp

Filesize
408KB

Download
memory/1608-537-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/1608-518-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/1608-536-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1608-522-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-535-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-189-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1692-188-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1692-180-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1692-183-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1692-229-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1904-519-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1904-502-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1904-501-0x0000000000AB0000-0x0000000000B16000-memory.dmp

Filesize
408KB

Download
memory/1904-494-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1904-520-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1924-244-0x0000000000420000-0x0000000000486000-memory.dmp

Filesize
408KB

Download
memory/1924-309-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1924-250-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1924-249-0x0000000000420000-0x0000000000486000-memory.dmp

Filesize
408KB

Download
memory/2324-262-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2324-255-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2324-268-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2324-269-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2408-545-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2408-542-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/2408-558-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/2500-197-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2500-196-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2500-271-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2500-203-0x0000000000300000-0x0000000000366000-memory.dmp

Filesize
408KB

Download
memory/2516-195-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2516-48-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2516-39-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2516-41-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2528-311-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2528-300-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2528-326-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2528-336-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-317-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-452-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2660-462-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-464-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2680-318-0x00000000749C8000-0x00000000749DD000-memory.dmp

Filesize
84KB

Download
memory/2680-303-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2680-511-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2680-544-0x00000000749C8000-0x00000000749DD000-memory.dmp

Filesize
84KB

Download
memory/2680-294-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2680-287-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2684-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2684-181-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2684-106-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2684-7-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2684-6-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2684-1-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2956-333-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2956-386-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2956-387-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3068-232-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3068-240-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3068-298-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download