f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
Size

1.8MB
MD5

dcab67d71ed7f1ccd1e75ba4ea4173ac
SHA1

11140406e80582ce1157b9efea4a106dae78ded5
SHA256

f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5
SHA512

f8f0dd10cccc6f83d2495a853a6fa81eabcca1ffaf5f6aa69b50587e8affc1a38a27335d638381b0d989d19a6d1d2362fc5ea1e1650898d2005bf1961d8d74ab
SSDEEP

49152:KM9QPdxwfE7WlFwKAfzuTiDFUFkK9cvyiE691E:K1PdVQFwKZCFgNyE691E

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
484	Process not Found
3024	alg.exe
2564	aspnet_state.exe
1252	mscorsvw.exe
2268	mscorsvw.exe
1016	mscorsvw.exe
1560	mscorsvw.exe
636	ehRecvr.exe
1944	ehsched.exe
240	elevation_service.exe
2612	dllhost.exe
2896	GROOVE.EXE
1504	maintenanceservice.exe
1784	mscorsvw.exe
2940	mscorsvw.exe
1400	mscorsvw.exe
2936	mscorsvw.exe
2132	mscorsvw.exe
2296	mscorsvw.exe
2664	mscorsvw.exe
2400	mscorsvw.exe
1836	OSE.EXE
2616	mscorsvw.exe
2796	OSPPSVC.EXE
2280	mscorsvw.exe
536	mscorsvw.exe
2232	mscorsvw.exe
2528	mscorsvw.exe
1904	mscorsvw.exe
2704	mscorsvw.exe
1740	IEEtwCollector.exe
1508	msdtc.exe
1776	msiexec.exe
2028	perfhost.exe
2756	locator.exe
2180	snmptrap.exe
2080	vds.exe
1860	vssvc.exe
996	wbengine.exe
1704	WmiApSrv.exe
932	wmpnetwk.exe
888	SearchIndexer.exe
2824	mscorsvw.exe
1916	mscorsvw.exe
1996	mscorsvw.exe
1500	mscorsvw.exe
852	mscorsvw.exe
2144	mscorsvw.exe
2988	mscorsvw.exe
1672	mscorsvw.exe
2024	mscorsvw.exe
1400	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
1776	msiexec.exe
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
740	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1ef764902a37835d.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_id.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\GoogleCrashHandler.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\psmachine_64.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_ml.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_ca.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_hr.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_cs.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_fr.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\GoogleUpdateSetup.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\GoogleUpdateOnDemand.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_de.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_ko.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_mr.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_en-GB.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_sw.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0CE5CC7E-EAA3-4562-A781-DCB0067BB36A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM15A3.tmp\goopdateres_es.dll	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6B2BA8D0-4AA9-4714-85FF-812D53D272F8}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6B2BA8D0-4AA9-4714-85FF-812D53D272F8}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{DB8E4EE6-F18C-4174-A2B4-244897B84FBA}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{DB8E4EE6-F18C-4174-A2B4-244897B84FBA}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2528	ehRec.exe
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2476	f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: 33	376	EhTray.exe
Token: SeIncBasePriorityPrivilege	376	EhTray.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeDebugPrivilege	2528	ehRec.exe
Token: 33	376	EhTray.exe
Token: SeIncBasePriorityPrivilege	376	EhTray.exe
Token: SeDebugPrivilege	3024	alg.exe
Token: SeTakeOwnershipPrivilege	2564	aspnet_state.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeSecurityPrivilege	1776	msiexec.exe
Token: SeBackupPrivilege	1860	vssvc.exe
Token: SeRestorePrivilege	1860	vssvc.exe
Token: SeAuditPrivilege	1860	vssvc.exe
Token: SeBackupPrivilege	996	wbengine.exe
Token: SeRestorePrivilege	996	wbengine.exe
Token: SeSecurityPrivilege	996	wbengine.exe
Token: 33	932	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	932	wmpnetwk.exe
Token: SeDebugPrivilege	2564	aspnet_state.exe
Token: SeManageVolumePrivilege	888	SearchIndexer.exe
Token: 33	888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	888	SearchIndexer.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
376	EhTray.exe
376	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
376	EhTray.exe
376	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
276	SearchProtocolHost.exe
276	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1784	1016	mscorsvw.exe	42
PID 1016 wrote to memory of 1784	1016	mscorsvw.exe	42
PID 1016 wrote to memory of 1784	1016	mscorsvw.exe	42
PID 1016 wrote to memory of 1784	1016	mscorsvw.exe	42
PID 1016 wrote to memory of 2940	1016	mscorsvw.exe	43
PID 1016 wrote to memory of 2940	1016	mscorsvw.exe	43
PID 1016 wrote to memory of 2940	1016	mscorsvw.exe	43
PID 1016 wrote to memory of 2940	1016	mscorsvw.exe	43
PID 1016 wrote to memory of 1400	1016	mscorsvw.exe	44
PID 1016 wrote to memory of 1400	1016	mscorsvw.exe	44
PID 1016 wrote to memory of 1400	1016	mscorsvw.exe	44
PID 1016 wrote to memory of 1400	1016	mscorsvw.exe	44
PID 1016 wrote to memory of 2936	1016	mscorsvw.exe	45
PID 1016 wrote to memory of 2936	1016	mscorsvw.exe	45
PID 1016 wrote to memory of 2936	1016	mscorsvw.exe	45
PID 1016 wrote to memory of 2936	1016	mscorsvw.exe	45
PID 1016 wrote to memory of 2132	1016	mscorsvw.exe	46
PID 1016 wrote to memory of 2132	1016	mscorsvw.exe	46
PID 1016 wrote to memory of 2132	1016	mscorsvw.exe	46
PID 1016 wrote to memory of 2132	1016	mscorsvw.exe	46
PID 1016 wrote to memory of 2296	1016	mscorsvw.exe	47
PID 1016 wrote to memory of 2296	1016	mscorsvw.exe	47
PID 1016 wrote to memory of 2296	1016	mscorsvw.exe	47
PID 1016 wrote to memory of 2296	1016	mscorsvw.exe	47
PID 1016 wrote to memory of 2664	1016	mscorsvw.exe	48
PID 1016 wrote to memory of 2664	1016	mscorsvw.exe	48
PID 1016 wrote to memory of 2664	1016	mscorsvw.exe	48
PID 1016 wrote to memory of 2664	1016	mscorsvw.exe	48
PID 1016 wrote to memory of 2400	1016	mscorsvw.exe	49
PID 1016 wrote to memory of 2400	1016	mscorsvw.exe	49
PID 1016 wrote to memory of 2400	1016	mscorsvw.exe	49
PID 1016 wrote to memory of 2400	1016	mscorsvw.exe	49
PID 1016 wrote to memory of 2616	1016	mscorsvw.exe	51
PID 1016 wrote to memory of 2616	1016	mscorsvw.exe	51
PID 1016 wrote to memory of 2616	1016	mscorsvw.exe	51
PID 1016 wrote to memory of 2616	1016	mscorsvw.exe	51
PID 1016 wrote to memory of 2280	1016	mscorsvw.exe	55
PID 1016 wrote to memory of 2280	1016	mscorsvw.exe	55
PID 1016 wrote to memory of 2280	1016	mscorsvw.exe	55
PID 1016 wrote to memory of 2280	1016	mscorsvw.exe	55
PID 1016 wrote to memory of 536	1016	mscorsvw.exe	56
PID 1016 wrote to memory of 536	1016	mscorsvw.exe	56
PID 1016 wrote to memory of 536	1016	mscorsvw.exe	56
PID 1016 wrote to memory of 536	1016	mscorsvw.exe	56
PID 1016 wrote to memory of 2232	1016	mscorsvw.exe	57
PID 1016 wrote to memory of 2232	1016	mscorsvw.exe	57
PID 1016 wrote to memory of 2232	1016	mscorsvw.exe	57
PID 1016 wrote to memory of 2232	1016	mscorsvw.exe	57
PID 1016 wrote to memory of 2528	1016	mscorsvw.exe	58
PID 1016 wrote to memory of 2528	1016	mscorsvw.exe	58
PID 1016 wrote to memory of 2528	1016	mscorsvw.exe	58
PID 1016 wrote to memory of 2528	1016	mscorsvw.exe	58
PID 1016 wrote to memory of 1904	1016	mscorsvw.exe	59
PID 1016 wrote to memory of 1904	1016	mscorsvw.exe	59
PID 1016 wrote to memory of 1904	1016	mscorsvw.exe	59
PID 1016 wrote to memory of 1904	1016	mscorsvw.exe	59
PID 1016 wrote to memory of 2704	1016	mscorsvw.exe	60
PID 1016 wrote to memory of 2704	1016	mscorsvw.exe	60
PID 1016 wrote to memory of 2704	1016	mscorsvw.exe	60
PID 1016 wrote to memory of 2704	1016	mscorsvw.exe	60
PID 888 wrote to memory of 276	888	SearchIndexer.exe	73
PID 888 wrote to memory of 276	888	SearchIndexer.exe	73
PID 888 wrote to memory of 276	888	SearchIndexer.exe	73
PID 1016 wrote to memory of 2824	1016	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe
"C:\Users\Admin\AppData\Local\Temp\f22b5528723d8a6e4c3470e74588429e43d11c2e1fc1a1de1e7c7e1501bf1dd5.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1252

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1ac -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 258 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 258 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 254 -NGENProcess 290 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 184 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 298 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 184 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 29c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 284 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 290 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 298 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 174 -NGENProcess 19c -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 238 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1400

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:636

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:376

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:240

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2612

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2896

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1836

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2796

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:276
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
336f8c2d8b49884b71605a881d57395d

SHA1
7d55cd3c4f624dd906a9101aee068bbae60c229f

SHA256
185cc25a29c8e3a2b087af0ac823ab9da898b00abe549745bc353d757829a96b

SHA512
01b82b44a0c8861e0ab968bb2a7548236e249ffaccf43c7def17999760eaf1a52d734c701b02bcfa6b1f72441e1512c51b8b05a5ce5b0ea097a65d39557dc021

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ff7c36439f7d4e8b66dcc682d5633cd6

SHA1
a9c087cf561527e87c9cf46d1047a5d16983572e

SHA256
eef3d27d099785f60145859d5a8d249f8855a38fa79b7aceb681b023de6a702b

SHA512
27053fc8ad34d698b120207a75a5af43a9ed0e6de100b2a44da23a4fb3a2a2e4890888648232d9f66af37160bd614fcb0d48d0a6fea50eb3fd7b40db175c92da

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
a6f015d5cbbff5803237f94f2866756d

SHA1
e9db1cce5d13a97f11bf08e6e67f0fc3e5a7656f

SHA256
3cf3cac61753d99ab15520825fda50e3d524005718c09aeb8471b881f03625bc

SHA512
ae43dc34c20bee02b555095560cfd200f5054ba2754b30ca8f61a3b53a817aa13b9c6b13e80600ce766f2e76b32c0686f1b6db550d8eb94a2fca87d43e35f4ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
3dcbd40886b7bfb3a906b8ec5cdc48a2

SHA1
862dbb94b53b68aac4d58525a20457aa9d9b2f99

SHA256
e64b439b2e296f3535696e477716843cf80a155522c0d695bd54014977114149

SHA512
cc61e5814336ba4f215f6fbebfb57e17227acd953a0ef9ae5c7cca95f0b19eabee7ab3cc029daf286257fe3c3dafe2d44fedfecd2e057c4d4984b58c9b21fab7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d494bf6f7f698508556bfd29c276d4d0

SHA1
cb6bea7ccc07663a041d975f539b6cc43cf414a0

SHA256
015b3f68582c7dacf0957c95d1045fd48fe256c670e5db1c6cd5c1a67b11b54b

SHA512
1ce8a9efe1b22ced72cc2ffa80a411ac5406476ac3b2f626b1068749dd02c12a0f89c3f89ef4b86f00290d4e9026a8bfe96c0583d873fac0fbd6d0c1495d3835

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
e5eebfd2d903845d067cbf1713aed886

SHA1
3a3444017a9589f6d16d90ba1167f55f2c57df89

SHA256
6fa0385e67d21052bf27d06c94ab03456f52d2de2f9131b0fe5fd8ec80507842

SHA512
19f10a14db84f9adc2bb8c671fdd438041e99a4a8871961690ca5ad35933a992f677e24c2ffa403133f0b8223cb9547a79cf523e4a05d409baafe16c63aece3b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6981ecfd697e640771247b6fccf8e87c

SHA1
a90c65819e4d380f04baff231754c906c5d72c1d

SHA256
1a98ae8e728e5be2c30b9ea3d90107360dee9a2f5b7f8f1d9b5dc402ca2b11ac

SHA512
e7e4360395fe59c52f35ab38cd775644eef37724a62dd4eb7088ade6037409b67f090f6f14046560c011d311597aa9aae226905b8b12337ed8bd7435a91dbfab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8552f58ae44c7d7e09a45e9f953950b1

SHA1
e3a8281af5eb210a1f12485f3bff875cc213501e

SHA256
afb83574f6be094f627dfb5a561f11923c73d9b5aaa86c5cafc926f49366ac7a

SHA512
b6744279288526e6a249d74635b0e7955851631ed8ca3668b5885b600458618592dc1575dbbd6819d7bc567cdb3790a18dd33081a5266bb4ff0e54ee74b062ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
07247f58de87e5d3603a63538f151db4

SHA1
0cce15c11290358be7924e3a320c3c44b3a18992

SHA256
810513db27620b7f33ac222c87d2e9d58b977567dc0ee11d58364cd51a1d6bef

SHA512
5cc0e27e90b2b2e2b5f087a74c2a9242cd590f47cd3d00162e7578eccfe2563e706547360f57fce50cb20b57ef4831ec14a378b194c679fb8212cebab34d1bc4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
865db001b2f1934afaf8be7c958d59f1

SHA1
545c23d34566b9b40ba43b697b2bb1bc016fde5b

SHA256
ab86a4634b68b8f238de21cc961df498a3e15eb2ce22ea177d0ee6729960d2b3

SHA512
c23a83db447f0c2f78113f3394974fc466ae219651954865cfc8e92c5fda47d7ac2f9c0e49906247b562c258084f86185499ec46a7ab809f436f9d0fd300c244

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9d14263db8d82eba1a857a7651b3da83

SHA1
f8188a91e5f621f2feada53ba3a3f9476a2ad647

SHA256
7d6bbac315d7c37e57a8e93aea614d5fe7f4ac35f15ede6c4f3d27592c61d372

SHA512
52d409b78b1854d18aab75ce1d8002169ece211ea38227c73b933b19d83402bc6422374d35d928d0c2deb11a5496f5a82384e1e83f61fe87ce7e31f680333eed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
7f37f320a59c1a37895ec5c31dc6c226

SHA1
3b7183a54fd18b227e399935bc1b1181877c6620

SHA256
e631237e4edfbf3b0ebf37022f8d43438bb5354e7abf31697dac8e6cd2c11c14

SHA512
86b3215c8dd88707560bc8d58a50edd6025403dd190b1abca3309e5d36c7e3221e4d696a9ebe7dca65b3bb1f701787842e51e6bb3246fec633778ccacbbad0c4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
4574e8e139bc8e14420d6fa201ff1663

SHA1
263449931b3c70670f23e6c1c8e36a5000c1db92

SHA256
0526e5f8e083ce740257382f85bf26d61e243f95ab5692b80e67d47c08d79783

SHA512
4c31898d4e4e4f7d686eb2820bdb8a4fde4a35fd50ddc10d69855ed691a4f3b8539f1fc42f8dabb6fa6569c96bda2c22f7ca4317fff989c02854cc480ace2a8e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
bd87c06ab2991196e6139ba9b3100c6a

SHA1
952ba6655c5255eeb7a750b822f521f0e6f92549

SHA256
8d124b6fed023c94af199997feadf4f663c613623060651b63fa7b920e2489d3

SHA512
d12e6207a9bcbbd7216e101b12c8df0ebb7b97d3e67799b18cb59f7c5c61e90fd36af8c581b9f3bf8bfdc37045a367add7d5561570f79fb92ed74c5ec47b4422

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
9872599b9a988135776e50119210ddca

SHA1
a320e189fba9c5aa707a18404bf490d53a5c6004

SHA256
d10d2e70971cc30111e3a986ef533acaddd4085ff17c363bae8c09d1ff2aefae

SHA512
8a1a1f5b9752706ecee1c37611abedb8daca2f21e992c01063a9217c244e6bb1632c3426324b793c73ab556ced54255de17f69a07d1e99180aae465cc9680fec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
0942710048626922ac8af8da2adb8f13

SHA1
9b50cf4318da73778da072d5c71af18772a8a948

SHA256
63c25e9b1be0fce73ddb41d292ef6b7d4fb4d8e0c89b2722c0e3c7e8294f86c1

SHA512
c4c903ba09fb7af33946deb31b7ef57199a12081c0a79a9ccf5207aef5a45a22103c2370c8e4350d1014e3cdca1fb3b295aeb9667ddf2df8e4edb0c4662b61a2

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
691KB

MD5
e1b9e24a6d9aa6eee92489e039b30ac5

SHA1
840eb3f4b462b2860e94760aa59dd1df3fe0b079

SHA256
9b7403a89849c47230eba84a8d7aad687371f3307de78f0f588cdc6420ea497b

SHA512
9a22ab4bbe9f50ddc886587b8cad47eb2ef08ccb704dabde0ce157dbc7e4b66c8efd234b93f98920cd476866ad1a892af9135611859170010abde79f5beabd9f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
ed07de6b761d9ce95a5214ec17809545

SHA1
3195ada66f72e999c6006fc4d2c3042f1a256c51

SHA256
6e501aebbdbc8eafe6b65f7d465eaa11b3f75d5976b96f079031f3ed711f4848

SHA512
1a8779c0cc77c8c21d0ea4298606bdf904ea0764b474b9c97195579e17f6e6ccd6b402d197c75c7a84a60a956cb777a134e770bc238542ef831ce85330c0943c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
27ffcbc7448dbff385b7badb11e5ed05

SHA1
86844fe59ea6a8c9053ef2dffd3cc56db990bb74

SHA256
394c74cf53d6340b9ef2ca554b10d95c12fb91644d1bd801ecce80234649c6f9

SHA512
0441cd3178ae814b308a4cbd6f16fe293c32646a9bce6ce1739a6895fbf2aa60eeef567dc95b689b089f732c607db1a2af6b7e4ac958a5a542e75a6c817ba3dc

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
51aeef55ca2846bc6ff263ab927808cc

SHA1
604c08b1485621c00003d78a8aaae73139a8f6cb

SHA256
3176b186d5acd2692a960972a6e0c44926fd24fc36521209a6a3dd32194ae2e2

SHA512
8a99a81cef6fce6683de3d3dbb8aa8789b9270dc7091b073fbab8b6d33546a7705c9853de98cc6e11531c8c256c1888c479be1c05b60546e8e39f523c8210ba2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
b10724504a13d62fb7725471dec2f69f

SHA1
28ce109a6df46d9c5825e416570910aff089223a

SHA256
d10a51d9645311320a8af62abd01f1cae0a7a38ae576d27e9e60e883aa580ad8

SHA512
1c8f16bf3c8088343fc2009152d331fdd501cf60bfe671ae75c611aa2601f95d27b4b3895208444cc278476422e3d514126b69f7008663cfebe8f2b7ed6e61cd

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
58082466de78d0b512c62af555dc7c66

SHA1
b1bd90cdec35e779592b0732a7414152a33519f4

SHA256
81025469509a7d7b133e170398bfd3956f331b74123a7f8df0b2b741309e3911

SHA512
577b234a1c366214af376ff24966dcb4c0aee0dde7cdf9ff0c286e643fe4220845b1c67bdb6949e97eca9b214b80f15c033ca908693db3e731830301a1e9a675

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
057ff65ec26a474fde805fa4e86e26bd

SHA1
27c5b946bd8ada037c1ac690fd68b84a91ad11c5

SHA256
da1be4e4660357c8059a25bff3f250c99d4b7ee213066c92e0d5c5ab94973153

SHA512
06150dcc753236510b73c69a75226ba61918130c6ee45d2f9f4ef55f2cdef8fd5413c51235d9d1dc58d590567c2e76329c99f5bcc90bef3bacc4ab2ba6326edb

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
bc5bfc91e304c94655ca1784dec7fcb3

SHA1
ddb879778b5b0f9fdf48099dee500f25865159a5

SHA256
b377b55fc6310338889eee811ab568363a9d5f47b047a19e1f55a3ebb85a7767

SHA512
0f6fa89cfee3d241c2ee3b4c2be42d2c4e173abf8324b35dab39eaf72e697f4b29d6c406b96b506552b1c2f43993a4d95135d9851cd118ccf3e96004bdd43266

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
8df2230273b26c7c3eff15b05aae0b0d

SHA1
b4f6273639fa551d94799d815fb89feea1f96abf

SHA256
94d40b382cc83ec8e63423b8773bcaa12f120ed649a2c80a8114bbfee5321f4b

SHA512
81be305ec076ca8aa3411019c6210e41a6a6f469e16afc88d6a9a7ba03047df7931acf8fc86b2ae27f484236e9e551925ae85a780e6dac901cabe1f80ae0b1cc

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
345bbb265cedfc231b42a2f399dc675b

SHA1
946c38f90f43da2c473db40b343e9533240c9b68

SHA256
e0217cd50c422fae0ccd924cf88ff58cb8d96c342f3ee272b581e607ab4c3464

SHA512
9a60e6ca719b3c154e9d09d5dedaab01f309764095aa83fdc4d4bf9deedcb473e293c67a676c7efe76c8c30bd8173a1ad7249fd0c0385f4d4cfdc0722ef1e20a

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
5544d6bef1a17f9caf18dd81f6b38a65

SHA1
b733873e6f6a6944bc1cf92b0a49b5c3ac937a81

SHA256
f5d70a81ae7917c4e8b600b6cff4956c9145057b7a421da0c22f1a4272b7e798

SHA512
125aa1b7552b31ddd6935ae2d15088566fcba8ce9ebb2331566e1a374aa2d6ca96d90332b60b2cb40d5167e68f7c0339dca6d9e48fb932e2187ee5d35f3e87f0

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5504e7ee11a14ce0744d74465ea4120e

SHA1
bb6c7314c80963bd075d3d69e7d1baeb86406a8d

SHA256
3368955d403bae2d3ef58e96a6b61449c185103fedb7b42736e09ee6864b5b3e

SHA512
9050ac4846f83d10fd09a6ec4ff1b203c3b4a3723cbc776f5f6fab8e361c2b7ec82e7d3d1a89eb974a014d0144b01562f5652b226fe62d1f24953f801c7641cc

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
968e451561a4e4c6bb314b9e9eb21112

SHA1
d1fba53d0b77a1be882ebea30096fb48d4104e0c

SHA256
71111b9ce09a4c5aa8fdcd78b81f9ee86681c023cf5aeeda3d4890e5bdcbf46b

SHA512
cb08885108ac5f7159bb10c98a3f7632a6528690a601bcff6de52d46fca64aa8a18d62861a413239ad42a47c2bca88aca22d7c27a134c3d4042bedd7ca47c184

Download Submit
memory/240-344-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/240-210-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/240-219-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/636-189-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/636-314-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/636-206-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/636-341-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/636-183-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/636-180-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1016-146-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1016-218-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1016-140-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1016-141-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1252-113-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/1252-108-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/1252-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1252-153-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1400-376-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/1400-382-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1400-370-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1504-330-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1560-159-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1560-305-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1560-160-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1560-166-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1784-343-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1784-362-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1784-348-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-363-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-336-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1944-194-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1944-334-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1944-328-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1944-203-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2132-411-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2268-131-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2268-178-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2268-123-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2268-124-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2476-1-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/2476-6-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/2476-7-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/2476-293-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2476-139-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2476-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2528-309-0x000007FEF4BB0000-0x000007FEF554D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-383-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2528-364-0x000007FEF4BB0000-0x000007FEF554D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-365-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2528-345-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2528-312-0x000007FEF4BB0000-0x000007FEF554D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-310-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2528-407-0x000007FEF4BB0000-0x000007FEF554D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-400-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2564-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2564-181-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2564-96-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2564-102-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2564-103-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2612-306-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2612-297-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2612-351-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2896-366-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2896-320-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2896-325-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2936-401-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2936-405-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-394-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-367-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-358-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/2940-380-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-353-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-381-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3024-69-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/3024-70-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/3024-13-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/3024-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3024-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download