484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 07:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
Size

1.8MB
MD5

dadace345d8777acb6f4554fe00eed29
SHA1

442a8e07b4551999f257fcbefc7b8a6137421aef
SHA256

484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9
SHA512

30a0d9846cf9f69e3495f10e67234c722b36d8e872fe62c1fd76d046a6b5a9e5fb2e1ac82fd91299b06704b6046595a0494f10f2a4d5df2e2eff4650608d90d0
SSDEEP

49152:7KJ0WR7AFPyyiSruXKpk3WFDL9zxnSZGhaOIh1Dp33PM:7KlBAFPydSS6W6X9lnRDIhZt/M

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 59 IoCs

pid	Process
468	Process not Found
2572	alg.exe
2896	aspnet_state.exe
2772	mscorsvw.exe
2188	mscorsvw.exe
976	mscorsvw.exe
1244	mscorsvw.exe
1480	dllhost.exe
1304	elevation_service.exe
1772	mscorsvw.exe
2664	mscorsvw.exe
3000	mscorsvw.exe
2604	mscorsvw.exe
1864	mscorsvw.exe
1348	mscorsvw.exe
2236	mscorsvw.exe
2260	mscorsvw.exe
572	mscorsvw.exe
2240	mscorsvw.exe
1556	mscorsvw.exe
1980	mscorsvw.exe
2156	mscorsvw.exe
2968	mscorsvw.exe
1940	mscorsvw.exe
2372	mscorsvw.exe
2368	mscorsvw.exe
2948	mscorsvw.exe
2776	GROOVE.EXE
2272	maintenanceservice.exe
2688	OSE.EXE
1628	mscorsvw.exe
1872	OSPPSVC.EXE
1916	mscorsvw.exe
2416	mscorsvw.exe
1924	mscorsvw.exe
2940	mscorsvw.exe
1804	mscorsvw.exe
1692	mscorsvw.exe
2664	mscorsvw.exe
2420	mscorsvw.exe
1144	mscorsvw.exe
1620	mscorsvw.exe
2680	mscorsvw.exe
2548	mscorsvw.exe
2992	ehRecvr.exe
1992	ehsched.exe
2152	IEEtwCollector.exe
2588	msdtc.exe
2636	msiexec.exe
2380	perfhost.exe
2744	locator.exe
1144	snmptrap.exe
2596	vds.exe
664	vssvc.exe
2104	wbengine.exe
1556	WmiApSrv.exe
1772	wmpnetwk.exe
1540	SearchIndexer.exe
324	mscorsvw.exe

Loads dropped DLL 17 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
2680	mscorsvw.exe
2680	mscorsvw.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2636	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1ebaf2909a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\GoogleUpdateOnDemand.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\goopdateres_ar.dll	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\goopdateres_es.dll	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\goopdate.dll	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\goopdateres_uk.dll	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\GoogleCrashHandler.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\goopdateres_pl.dll	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\goopdateres_hi.dll	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2FD7.tmp\goopdateres_el.dll	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0B8E4888-51C4-4171-A979-938CDD7FCB1F}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCDDA.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0B8E4888-51C4-4171-A979-938CDD7FCB1F}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{F5323C50-93DF-416F-8253-91959CD2639C}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{F5323C50-93DF-416F-8253-91959CD2639C}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2896	aspnet_state.exe
2896	aspnet_state.exe
2896	aspnet_state.exe
2896	aspnet_state.exe
2896	aspnet_state.exe
1928	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2180	484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
Token: SeShutdownPrivilege	976	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	976	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	976	mscorsvw.exe
Token: SeShutdownPrivilege	976	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeDebugPrivilege	2572	alg.exe
Token: SeShutdownPrivilege	976	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2896	aspnet_state.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: 33	1780	EhTray.exe
Token: SeIncBasePriorityPrivilege	1780	EhTray.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	976	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeRestorePrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	2636	msiexec.exe
Token: SeSecurityPrivilege	2636	msiexec.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe
Token: SeBackupPrivilege	2104	wbengine.exe
Token: SeRestorePrivilege	2104	wbengine.exe
Token: SeSecurityPrivilege	2104	wbengine.exe
Token: SeBackupPrivilege	664	vssvc.exe
Token: SeRestorePrivilege	664	vssvc.exe
Token: SeAuditPrivilege	664	vssvc.exe
Token: SeShutdownPrivilege	1244	mscorsvw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1436	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1772	1244	mscorsvw.exe	36
PID 1244 wrote to memory of 1772	1244	mscorsvw.exe	36
PID 1244 wrote to memory of 1772	1244	mscorsvw.exe	36
PID 1244 wrote to memory of 2664	1244	mscorsvw.exe	37
PID 1244 wrote to memory of 2664	1244	mscorsvw.exe	37
PID 1244 wrote to memory of 2664	1244	mscorsvw.exe	37
PID 976 wrote to memory of 3000	976	mscorsvw.exe	38
PID 976 wrote to memory of 3000	976	mscorsvw.exe	38
PID 976 wrote to memory of 3000	976	mscorsvw.exe	38
PID 976 wrote to memory of 3000	976	mscorsvw.exe	38
PID 976 wrote to memory of 2604	976	mscorsvw.exe	39
PID 976 wrote to memory of 2604	976	mscorsvw.exe	39
PID 976 wrote to memory of 2604	976	mscorsvw.exe	39
PID 976 wrote to memory of 2604	976	mscorsvw.exe	39
PID 976 wrote to memory of 1864	976	mscorsvw.exe	40
PID 976 wrote to memory of 1864	976	mscorsvw.exe	40
PID 976 wrote to memory of 1864	976	mscorsvw.exe	40
PID 976 wrote to memory of 1864	976	mscorsvw.exe	40
PID 976 wrote to memory of 1348	976	mscorsvw.exe	41
PID 976 wrote to memory of 1348	976	mscorsvw.exe	41
PID 976 wrote to memory of 1348	976	mscorsvw.exe	41
PID 976 wrote to memory of 1348	976	mscorsvw.exe	41
PID 976 wrote to memory of 2236	976	mscorsvw.exe	42
PID 976 wrote to memory of 2236	976	mscorsvw.exe	42
PID 976 wrote to memory of 2236	976	mscorsvw.exe	42
PID 976 wrote to memory of 2236	976	mscorsvw.exe	42
PID 976 wrote to memory of 2260	976	mscorsvw.exe	43
PID 976 wrote to memory of 2260	976	mscorsvw.exe	43
PID 976 wrote to memory of 2260	976	mscorsvw.exe	43
PID 976 wrote to memory of 2260	976	mscorsvw.exe	43
PID 976 wrote to memory of 572	976	mscorsvw.exe	44
PID 976 wrote to memory of 572	976	mscorsvw.exe	44
PID 976 wrote to memory of 572	976	mscorsvw.exe	44
PID 976 wrote to memory of 572	976	mscorsvw.exe	44
PID 976 wrote to memory of 2240	976	mscorsvw.exe	45
PID 976 wrote to memory of 2240	976	mscorsvw.exe	45
PID 976 wrote to memory of 2240	976	mscorsvw.exe	45
PID 976 wrote to memory of 2240	976	mscorsvw.exe	45
PID 976 wrote to memory of 1556	976	mscorsvw.exe	46
PID 976 wrote to memory of 1556	976	mscorsvw.exe	46
PID 976 wrote to memory of 1556	976	mscorsvw.exe	46
PID 976 wrote to memory of 1556	976	mscorsvw.exe	46
PID 976 wrote to memory of 1980	976	mscorsvw.exe	47
PID 976 wrote to memory of 1980	976	mscorsvw.exe	47
PID 976 wrote to memory of 1980	976	mscorsvw.exe	47
PID 976 wrote to memory of 1980	976	mscorsvw.exe	47
PID 976 wrote to memory of 2156	976	mscorsvw.exe	48
PID 976 wrote to memory of 2156	976	mscorsvw.exe	48
PID 976 wrote to memory of 2156	976	mscorsvw.exe	48
PID 976 wrote to memory of 2156	976	mscorsvw.exe	48
PID 976 wrote to memory of 2968	976	mscorsvw.exe	49
PID 976 wrote to memory of 2968	976	mscorsvw.exe	49
PID 976 wrote to memory of 2968	976	mscorsvw.exe	49
PID 976 wrote to memory of 2968	976	mscorsvw.exe	49
PID 976 wrote to memory of 1940	976	mscorsvw.exe	50
PID 976 wrote to memory of 1940	976	mscorsvw.exe	50
PID 976 wrote to memory of 1940	976	mscorsvw.exe	50
PID 976 wrote to memory of 1940	976	mscorsvw.exe	50
PID 976 wrote to memory of 2372	976	mscorsvw.exe	51
PID 976 wrote to memory of 2372	976	mscorsvw.exe	51
PID 976 wrote to memory of 2372	976	mscorsvw.exe	51
PID 976 wrote to memory of 2372	976	mscorsvw.exe	51
PID 976 wrote to memory of 2368	976	mscorsvw.exe	52
PID 976 wrote to memory of 2368	976	mscorsvw.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe
"C:\Users\Admin\AppData\Local\Temp\484490072e72d8ac911ea3f29a5a5002396ac0bb9e454250e15d0215d39637a9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2772

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1f0 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d8 -NGENProcess 26c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 260 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 27c -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 284 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 284 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 29c -NGENProcess 294 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 25c -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 204 -NGENProcess 1ec -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 254 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 228 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 204 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 248 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 204 -NGENProcess 208 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 230 -NGENProcess 27c -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:324

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1304

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2272

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2688

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1872

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2992

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1928

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1772

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
df45d27be799d5166684a75335b2516e

SHA1
392a4dca3f0b65cced3f3ec05d1e4d537197c3c6

SHA256
8d0860866a96c155f6f1dfd70244b9d800ec917a0c4e8760dee9d3abe1d20ca2

SHA512
5c0dcee0da1fa216cccbe0f183f0eb5149ccb2a770827c7827c5a19419da71515335c9de380c971d328d8ce8cfd30da858b1f0f69878c1b5e6fa5d41c6af17b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d91692bac395f8d2597450a2de990fac

SHA1
b844db79151c460c877f1b6e3f7e7d966156ec33

SHA256
f8d46e4e44534ebc6d79575d59eff10aea536c98b6385210be915c3265e1eeb8

SHA512
d9de7ba075ed21de11180a198d0eeef5c6feeca663958a349bad02a62da2bdf478036d2d1f221ccae8a0d8738fd79e7570e4242de38697c5c1346de64fb7ef2a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
b3549f011721f7d06260864fbce75398

SHA1
20fcde61137f99fadfd3040313890c2cb811fcd1

SHA256
44ae18e7945f5a92465668d0c3b4c1cacc46bd7f21f8b0fc61e09b748cccecad

SHA512
ea34718f4fe2da2460cc7ab52c8ea7577d19fd6f4beb489a2b63e8f0bf1c4602c4f733005dcc5a6c344153e76fe07beba4dcc4846d618187c7d984a7ee314417

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
c87d96a354eb3480fad06ccb0c061074

SHA1
ba9fa12ce06746e30fb17a22ad1c88beb6726fdf

SHA256
9c7f7f56b0a293d53e96c798c5c470667807e5e37306f74e45fb076eb71d7358

SHA512
d71111e972b1e8a0a57266a5077bab65f403129ca4d530cecd26e867bd517bb71b26f3d2e0f43ee43db7b8322c596128a0cc22928da0888fee140d6335330a7b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fc54c90b57a1737a2a1c37456ea20ea8

SHA1
910d89dc2f324e63b313d0fda028ffa74aebeefd

SHA256
c12f62d2a1dd0e1a33783e56c81151d0cbaf73e6d132a85d8058ea15310871fb

SHA512
ad68bbd72dea0ff0f3c2b9303e78bd049cfcaa892cc88498daaefe8edd3268f89ecfff0bcac99b87525aa866bbbcf94bec21e37ba4dab997599f0c4651f369ff

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d356353ab68eff9dd3084ba6defbfe53

SHA1
2ca6ac87e7dd7ae5b6c43e611a81493be54701ec

SHA256
5d5b68cf659f074fd08fe837c3c7120e0d4412461371f03cd3edee67615c5b30

SHA512
c2ec7f830a2d88d9348e820e691224cee0928a98887f2704d654b7846432096aeedeff5862e31e00ff67d0265f3318a70ef7664669c47b65ce570ed33ad8a4a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b05f7ad267e6e8b90d9c670fe2235955

SHA1
44d92b15c000109a07530c2427f8a43fe4fd87cb

SHA256
b3efa82b1e6ad3f0cc467647e7ce369dd63b72654ce85eabae0c6b77fc174aad

SHA512
fcc1bc9235b30b5ef2f59846742c7304ea457fe03b483522bc01506a2ea0b4e9fcedd4f84592169b8dd0a0f95cd9546fc4efa414decd51a3cce24ad797e84fd0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
75ab69e6387827f99568d7328fc7f5c2

SHA1
4ef8234dc05bd8caaf794fbad63eb4fb208883c3

SHA256
f2707c37968ea7968b9a6c492e37704f9de0a67f148d2f848c5e3bcf5f064bd8

SHA512
2368300757445a765bb8292b1690c62277e0b776f9b6ff511fc74477740b81d9f0631dec551c886ddfaf7c731b22223e0195a5fdc0600548c3c1ad7c01930453

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ad06fb2a356d99b8006f4d2988cd2478

SHA1
b013968e303d84370369c64bcfa9bd80674e0385

SHA256
26c27c95c3c7e8c93d0486d43f6022a7ccda9e13f1e4e4bb8ec46ed4c8750d6d

SHA512
c2f820c1b3d4ab9fe1c94f6aa139041ba9b4d724247961027cd2ddbd0b2a343c7e811898c849be09df9fcd33483cad8e66d64369c35772b5d902d2907bf31575

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ccec612a7a272302dfda07bfb8a5555c

SHA1
5bce046b09c4f8cb015d1d02b59e3dd9b46f5318

SHA256
dc806884e736ce7cccac7825f38fb7e8a36735e1f42d1c7a96ef57a95893388b

SHA512
16dd4131e09f7981743f484a4bf10935c72f471852c4cab236586333726b76c5bb495c5f5f2da0fbe7005c95783fdfd4e53d6d29c449e57acfc92a8007beca80

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
b012fcf438c8cae69a6977e4e40f960b

SHA1
b60f829c6a3736c8b6ce315685bebab3df4e30d2

SHA256
df2826c60006dfc6cfcf922bce0426c080280dee27aee289ac67c2937cb9c9da

SHA512
a1ec05cfc8adab0dc902be5be5a47f8fc54db8be71afa6f5ff1ac0bf2de6cb984e11d4cc9b9e205632814081df500360c8c41462529c4e84989c64674afe0a63

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
dac02a33932f4a45fb0cb7b760d8e703

SHA1
c686da68e7a9a5b22c1f187ae4b80f5408064a83

SHA256
a3740793e33567ce2aedae231f66f552e8b93cbf3340a3a8dd9c955dd1d81fda

SHA512
5e2ebcc84ad3c0654c6c8daa2f8b95f2cff6410ab246a0a729cc425fc4fa04c3406e5a3db52d592a73ad0eb10dc373ee219e61facd6521897729c922556647db

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
469c98393c0bf272d4647f9ede461020

SHA1
4e91d26a8ffb668203f9fcebcd2a53d4a9b43125

SHA256
a8d776ff8ec7fe158cb27798713c7cbb75f1916769bcf0a219dacdccb8b056e3

SHA512
e122b10263fca80553fdb9ee397fe398a6ab6e28f8fee0d35a4ff0ca19490296b0a848db41ca5f77da45ec629a950c0c36ac184aab7728448992146e86b650f4

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
cee4cd7e5a7338ff9c88fced3b2719b4

SHA1
9d45825ee8e63e96f3a39ff287ea5f3d4269716c

SHA256
39cc6a5f78e1a4a315143d3856e9e748e1707081e986773428fd778162ec1d0c

SHA512
e7d32594c4ac75a0f665e86fe80c0a827f50e61517a9834286456a4436be8a7eec3510cd21a0d2ca4b0b082987dad9192d20f8da9f581d30f3b6fffcc183c3d3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
49d444be15a85026eb8b10c7c77d4ebb

SHA1
a271e40950d0aa7cd03ad82a97bf37ad9bca2f8a

SHA256
1ed79439442449df551ca4d26865c5673a3599b20478802b2e878ed1e84fba9a

SHA512
beeb9c231f9820bb171fb57a850859131d3856fbeb59e9921fe37b7dab4191d83d7803c5f6fdbca393ad8280cc779075898e244079c98caa0e43d68b90471762

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0e85cd13d5b0b8993568a2e640f0053e

SHA1
71ec130c5587ee593cc44b84df813de12f83f77f

SHA256
e6605340e6a31ad484598ae33964277fc04f348a040f9cd1d8d8db61036606f0

SHA512
feb5e3d73ebac92f442fc07c0e1204fe59b51e49764cfc0287b0d5aec771dd37ac34a43102ce61525afb1e8d635a1085c1061cc947e8787d3c5a2fbda3cd7ae6

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
7423b7ecb1f1b9fece30315f7ad47a57

SHA1
6aca4d29134db51ec537ff84f368c56347d42343

SHA256
c736c1c6fdbab868d77efd2717781e3a4aabe59ee3da87a2a68252c764cc58de

SHA512
91206e4185d2f45a0b2fb40a45003a8465d8375122f562a5ff1723a150b64de6206cb41cc48b80d48be315611eb91b9fcab64183c38f7cb772731ace38e65fe0

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
4bbd0f301a7a9603f8e3f86f9aa0cdb7

SHA1
0af64717427b05c6e4c06978b0c1ccf4a942565f

SHA256
009a7588a35761f7fca51be8b9db24caa984517a92340543052eba2d368c6a6a

SHA512
46c02ea1e8085ca648fd523f39a12aedff63b4119b66532cb89ee4d753edbaaa2bf84c3b5d39acbe1987f0d381b3d2770d6c2fa1d10cd12a8b467c43d9b20866

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCDDA.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c458ddbcb01cc15f3fe918513804d470

SHA1
f78f4165ebfe6d0e5dfb10e08c41961899da8b24

SHA256
86c230ec3999f2133c584047144fdbfc59e24b2159e4973d5186782b43833962

SHA512
58d52bc68a8f7ee718564d01f9c9beb8ded94a3459c20ef4a00de59432578f5bcc0e4cf8e4f486b68e1f911b6fad4c7abac5087724ee94cd3a7344318b035b80

Download Submit
memory/572-407-0x00000000008A0000-0x0000000000907000-memory.dmp

Filesize
412KB

Download
memory/976-286-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/976-143-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/976-144-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/976-150-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1244-163-0x0000000140000000-0x000000014026F000-memory.dmp

Filesize
2.4MB

Download
memory/1244-170-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1244-160-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1244-302-0x0000000140000000-0x000000014026F000-memory.dmp

Filesize
2.4MB

Download
memory/1304-326-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1304-269-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1348-382-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/1348-369-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-381-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-363-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1480-184-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/1480-317-0x0000000100000000-0x0000000100256000-memory.dmp

Filesize
2.3MB

Download
memory/1480-186-0x0000000100000000-0x0000000100256000-memory.dmp

Filesize
2.3MB

Download
memory/1480-191-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/1480-192-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/1772-299-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1772-305-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1772-288-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1772-306-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1772-304-0x0000000140000000-0x000000014026F000-memory.dmp

Filesize
2.4MB

Download
memory/1864-367-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-355-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-368-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/1864-349-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2180-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2180-266-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2180-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2180-142-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2180-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2188-178-0x0000000010000000-0x0000000010268000-memory.dmp

Filesize
2.4MB

Download
memory/2188-123-0x0000000010000000-0x0000000010268000-memory.dmp

Filesize
2.4MB

Download
memory/2188-124-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2188-132-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2236-396-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/2236-378-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/2236-383-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-395-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-409-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-392-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2260-410-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/2260-397-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-25-0x0000000100000000-0x0000000100265000-memory.dmp

Filesize
2.4MB

Download
memory/2572-24-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2572-62-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2572-161-0x0000000100000000-0x0000000100265000-memory.dmp

Filesize
2.4MB

Download
memory/2572-88-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2604-353-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-354-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/2604-335-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/2604-341-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-312-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-303-0x0000000140000000-0x000000014026F000-memory.dmp

Filesize
2.4MB

Download
memory/2664-314-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2664-307-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-301-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2664-313-0x0000000140000000-0x000000014026F000-memory.dmp

Filesize
2.4MB

Download
memory/2772-107-0x0000000010000000-0x0000000010260000-memory.dmp

Filesize
2.4MB

Download
memory/2772-108-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2772-114-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2772-162-0x0000000010000000-0x0000000010260000-memory.dmp

Filesize
2.4MB

Download
memory/2896-103-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2896-96-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2896-95-0x0000000140000000-0x000000014025E000-memory.dmp

Filesize
2.4MB

Download
memory/2896-183-0x0000000140000000-0x000000014025E000-memory.dmp

Filesize
2.4MB

Download
memory/3000-319-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3000-324-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/3000-327-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-339-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3000-340-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download