914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
Size

1.8MB
MD5

3f8b68023ac4d32671c273f289848acc
SHA1

b2e7675dc7aebb222b47b95a5f653de81d0a38d4
SHA256

914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966
SHA512

62c431118da22e05c9d0f050ea05fea5563ba045ceb3b5a21448c7d1233da5f67269ad988300a16e73c2cff2f39bdfdd1450d499dd2c6a46c52e4808a7e908ca
SSDEEP

49152:bKJ0WR7AFPyyiSruXKpk3WFDL9zxnSF1DUg6J9wh6+w:bKlBAFPydSS6W6X9lnODU5J9ws+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2580	alg.exe
2940	aspnet_state.exe
2688	mscorsvw.exe
2724	mscorsvw.exe
1360	mscorsvw.exe
2768	mscorsvw.exe
1328	ehRecvr.exe
2308	ehsched.exe
2236	elevation_service.exe
2408	IEEtwCollector.exe
2080	dllhost.exe
2436	mscorsvw.exe
2492	GROOVE.EXE
1144	maintenanceservice.exe
2204	mscorsvw.exe
576	OSE.EXE
2852	OSPPSVC.EXE
864	mscorsvw.exe
1888	mscorsvw.exe
388	mscorsvw.exe
1696	mscorsvw.exe
1660	mscorsvw.exe
2568	mscorsvw.exe
2248	mscorsvw.exe
1128	mscorsvw.exe
1680	mscorsvw.exe
2460	mscorsvw.exe
1028	mscorsvw.exe
988	mscorsvw.exe
2720	mscorsvw.exe
2640	mscorsvw.exe
2792	mscorsvw.exe
2144	mscorsvw.exe
1104	mscorsvw.exe
1444	mscorsvw.exe
1272	mscorsvw.exe
2448	mscorsvw.exe
2440	mscorsvw.exe
1820	mscorsvw.exe
2652	mscorsvw.exe
1120	msdtc.exe
2060	msiexec.exe
476	perfhost.exe
2556	locator.exe
2688	snmptrap.exe
3044	vds.exe
2512	vssvc.exe
1664	wbengine.exe
1872	WmiApSrv.exe
396	wmpnetwk.exe
984	SearchIndexer.exe
968	mscorsvw.exe
2392	mscorsvw.exe
2644	mscorsvw.exe
2660	mscorsvw.exe
2264	mscorsvw.exe
1088	mscorsvw.exe
2756	mscorsvw.exe
1504	mscorsvw.exe
1924	mscorsvw.exe
2288	mscorsvw.exe
2720	mscorsvw.exe
2568	mscorsvw.exe

Loads dropped DLL 35 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2060	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
736	Process not Found
2264	mscorsvw.exe
2264	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
1924	mscorsvw.exe
1924	mscorsvw.exe
2720	mscorsvw.exe
2720	mscorsvw.exe
2128	mscorsvw.exe
2128	mscorsvw.exe
3068	mscorsvw.exe
3068	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
1888	mscorsvw.exe
1888	mscorsvw.exe
2024	mscorsvw.exe
2024	mscorsvw.exe
1524	mscorsvw.exe
1524	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\cfdc1157df8f25a.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_lt.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_bn.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_de.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_sk.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DACF1076-23BF-40CD-A7B7-7111819689FE}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_et.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_cs.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_pl.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DACF1076-23BF-40CD-A7B7-7111819689FE}\chrome_installer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_sw.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_ko.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_sr.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_zh-CN.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\GoogleUpdateOnDemand.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4402.tmp\goopdateres_zh-TW.dll	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	elevation_service.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6FA4.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP32B4.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8259.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6307.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3D00.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	elevation_service.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{3AEF6929-5294-4A54-99DD-F7ABAF5EEADD}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1740	ehRec.exe
2236	elevation_service.exe
2236	elevation_service.exe
2236	elevation_service.exe
2236	elevation_service.exe
2236	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2380	914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: 33	1436	EhTray.exe
Token: SeIncBasePriorityPrivilege	1436	EhTray.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeDebugPrivilege	1740	ehRec.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: 33	1436	EhTray.exe
Token: SeIncBasePriorityPrivilege	1436	EhTray.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeDebugPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2236	elevation_service.exe
Token: SeRestorePrivilege	2060	msiexec.exe
Token: SeTakeOwnershipPrivilege	2060	msiexec.exe
Token: SeSecurityPrivilege	2060	msiexec.exe
Token: SeBackupPrivilege	2512	vssvc.exe
Token: SeRestorePrivilege	2512	vssvc.exe
Token: SeAuditPrivilege	2512	vssvc.exe
Token: SeBackupPrivilege	1664	wbengine.exe
Token: SeRestorePrivilege	1664	wbengine.exe
Token: SeSecurityPrivilege	1664	wbengine.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: 33	396	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	396	wmpnetwk.exe
Token: SeDebugPrivilege	2236	elevation_service.exe
Token: SeManageVolumePrivilege	984	SearchIndexer.exe
Token: 33	984	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	984	SearchIndexer.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	2768	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1436	EhTray.exe
1436	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1436	EhTray.exe
1436	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2000	SearchProtocolHost.exe
2000	SearchProtocolHost.exe
2000	SearchProtocolHost.exe
2000	SearchProtocolHost.exe
2000	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2436	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 2436	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 2436	2768	mscorsvw.exe	42
PID 2768 wrote to memory of 2204	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 2204	2768	mscorsvw.exe	44
PID 2768 wrote to memory of 2204	2768	mscorsvw.exe	44
PID 1360 wrote to memory of 864	1360	mscorsvw.exe	47
PID 1360 wrote to memory of 864	1360	mscorsvw.exe	47
PID 1360 wrote to memory of 864	1360	mscorsvw.exe	47
PID 1360 wrote to memory of 864	1360	mscorsvw.exe	47
PID 1360 wrote to memory of 1888	1360	mscorsvw.exe	48
PID 1360 wrote to memory of 1888	1360	mscorsvw.exe	48
PID 1360 wrote to memory of 1888	1360	mscorsvw.exe	48
PID 1360 wrote to memory of 1888	1360	mscorsvw.exe	48
PID 1360 wrote to memory of 388	1360	mscorsvw.exe	49
PID 1360 wrote to memory of 388	1360	mscorsvw.exe	49
PID 1360 wrote to memory of 388	1360	mscorsvw.exe	49
PID 1360 wrote to memory of 388	1360	mscorsvw.exe	49
PID 1360 wrote to memory of 1696	1360	mscorsvw.exe	50
PID 1360 wrote to memory of 1696	1360	mscorsvw.exe	50
PID 1360 wrote to memory of 1696	1360	mscorsvw.exe	50
PID 1360 wrote to memory of 1696	1360	mscorsvw.exe	50
PID 1360 wrote to memory of 1660	1360	mscorsvw.exe	51
PID 1360 wrote to memory of 1660	1360	mscorsvw.exe	51
PID 1360 wrote to memory of 1660	1360	mscorsvw.exe	51
PID 1360 wrote to memory of 1660	1360	mscorsvw.exe	51
PID 1360 wrote to memory of 2568	1360	mscorsvw.exe	52
PID 1360 wrote to memory of 2568	1360	mscorsvw.exe	52
PID 1360 wrote to memory of 2568	1360	mscorsvw.exe	52
PID 1360 wrote to memory of 2568	1360	mscorsvw.exe	52
PID 1360 wrote to memory of 2248	1360	mscorsvw.exe	53
PID 1360 wrote to memory of 2248	1360	mscorsvw.exe	53
PID 1360 wrote to memory of 2248	1360	mscorsvw.exe	53
PID 1360 wrote to memory of 2248	1360	mscorsvw.exe	53
PID 1360 wrote to memory of 1128	1360	mscorsvw.exe	54
PID 1360 wrote to memory of 1128	1360	mscorsvw.exe	54
PID 1360 wrote to memory of 1128	1360	mscorsvw.exe	54
PID 1360 wrote to memory of 1128	1360	mscorsvw.exe	54
PID 1360 wrote to memory of 1680	1360	mscorsvw.exe	55
PID 1360 wrote to memory of 1680	1360	mscorsvw.exe	55
PID 1360 wrote to memory of 1680	1360	mscorsvw.exe	55
PID 1360 wrote to memory of 1680	1360	mscorsvw.exe	55
PID 1360 wrote to memory of 2460	1360	mscorsvw.exe	56
PID 1360 wrote to memory of 2460	1360	mscorsvw.exe	56
PID 1360 wrote to memory of 2460	1360	mscorsvw.exe	56
PID 1360 wrote to memory of 2460	1360	mscorsvw.exe	56
PID 1360 wrote to memory of 1028	1360	mscorsvw.exe	57
PID 1360 wrote to memory of 1028	1360	mscorsvw.exe	57
PID 1360 wrote to memory of 1028	1360	mscorsvw.exe	57
PID 1360 wrote to memory of 1028	1360	mscorsvw.exe	57
PID 1360 wrote to memory of 988	1360	mscorsvw.exe	58
PID 1360 wrote to memory of 988	1360	mscorsvw.exe	58
PID 1360 wrote to memory of 988	1360	mscorsvw.exe	58
PID 1360 wrote to memory of 988	1360	mscorsvw.exe	58
PID 1360 wrote to memory of 2720	1360	mscorsvw.exe	61
PID 1360 wrote to memory of 2720	1360	mscorsvw.exe	61
PID 1360 wrote to memory of 2720	1360	mscorsvw.exe	61
PID 1360 wrote to memory of 2720	1360	mscorsvw.exe	61
PID 1360 wrote to memory of 2640	1360	mscorsvw.exe	62
PID 1360 wrote to memory of 2640	1360	mscorsvw.exe	62
PID 1360 wrote to memory of 2640	1360	mscorsvw.exe	62
PID 1360 wrote to memory of 2640	1360	mscorsvw.exe	62
PID 1360 wrote to memory of 2792	1360	mscorsvw.exe	63
PID 1360 wrote to memory of 2792	1360	mscorsvw.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe
"C:\Users\Admin\AppData\Local\Temp\914afe5b92937be326ea1a85c952087f332c644c7d74c50bc4ef70d65fa52966.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2688

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 270 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 2e8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 308 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 24c -NGENProcess 2f4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 348 -NGENProcess 270 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 270 -NGENProcess 308 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 2e8 -NGENProcess 354 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 354 -NGENProcess 338 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 35c -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 270 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 330 -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 340 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 370 -NGENProcess 360 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 370 -NGENProcess 340 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 24c -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 374 -NGENProcess 380 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 378 -NGENProcess 330 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 270 -NGENProcess 380 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 34c -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 340 -NGENProcess 380 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 384 -NGENProcess 390 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 384 -NGENProcess 364 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 13c -NGENProcess 1b8 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 13c -InterruptEvent 1f8 -NGENProcess 14c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 200 -NGENProcess 1c8 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 208 -NGENProcess 1d4 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 208 -NGENProcess 200 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 200 -NGENProcess 13c -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1f8 -NGENProcess 21c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 208 -NGENProcess 220 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 13c -NGENProcess 224 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 21c -NGENProcess 228 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 220 -NGENProcess 22c -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 22c -NGENProcess 224 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 200 -NGENProcess 238 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 23c -NGENProcess 200 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:1144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 234 -NGENProcess 21c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 21c -NGENProcess 13c -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 22c -NGENProcess 248 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1f8 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 208 -NGENProcess 13c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 250 -NGENProcess 230 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 210 -NGENProcess 254 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 198 -NGENProcess 13c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 21c -NGENProcess 210 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 258 -NGENProcess 210 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f8 -NGENProcess 264 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:2496

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1328

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2080

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2492

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1144

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:576

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2852

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:476

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2892
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
533a1c37def7da2fe48b3e380ed45465

SHA1
49ed96bcff8eafa0356be3ad057e6aaf46d302f3

SHA256
244ebf513a8a42feb8fa80fe45459f2364f17980a8dff0ce30c34803a07d1783

SHA512
3efd23ea5d86b7fcf50648b829fac5cfad5f2db4727663e332a4e1e6b589f2c9e769b4fba836c22aae58a91c0e0b2ffad13f490492c0f42d681def71f9165478

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d415c9b6de40f38e747311083e681135

SHA1
acc8472b7bf2f1f285a02ce7c4941eb6cfa5efd2

SHA256
21981f9b5fae161191e533bd69aeb5d9037b4f138fa2c631e63a7b80b61d750f

SHA512
af108b9bd1c8062b61a9e02649cf7dc74c27f9f3838bee96d376e97bf970fb3ddd86c87af233589d848ab52412b82fb621497f7e2c15c3851b968c6ffccae80d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
394279528d185897278497a9b97cd75d

SHA1
92b8d0ed5403b464674a9d4cefcf33c0891cafea

SHA256
b255e46419e253a0c6ad65b8537f1f205db2fc6f98227e1f8877bb0039817018

SHA512
5369b476fe0c22e208727bc9e0cf272f2a0457c29ebe7f062244d5a1e594248c60f48b8bba071fc29166be5d664483153739fe5b2c83fd0ea6448c9208843e2d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d8333ca65bf7688348f94ee234b6dd7f

SHA1
10c2d605d3703e53c590b9b9fd0530366ef181ea

SHA256
9bc74379e9ed2bdaa7d1c223b1396aff930c4689a32ed73a3c4f6aa2ff72f792

SHA512
f49b5f1e356b4c816d71526e1abc6b7d3b6089ff2c77a6443681558ceec2b2d1e7713f9a58d41aa3cc28aab076c81a269b1345794d9f0797ce9dcf1140ee523b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
66acd65b9e2bfd8cb047d65f7fcef9df

SHA1
68162e344bb7d8e650301938641b4f99052f385c

SHA256
aef1845734c9c02947f19700c6c4583ed5439f48c9b8b2ec0fead6799ff561b6

SHA512
3d7b830f0d0ae50201f70dddb2c692287711a0cec3b5e7881f28b974a78a7302f70f6ac8263a0a712955b2714419578ecc3fef2d4f4702e5af57b83e50ff7862

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c5d0435dfb9c35483566b872670e5889

SHA1
6a953801732060a197e949031be3e670ba141a32

SHA256
8ae38ecb80d0bb15f325b95e09be64235f7bed0e7e4d00293c7eda2c0a9390e6

SHA512
0d40517720271c799a790debbde357e65cf29266c220d212fc688ad043461a93cd0674bac48dfead99c211a60af6bcfcfa8d59679652c87ef380163138e72785

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
8135dad6ea76d5d0c07b29f1ddd3250a

SHA1
5740b39e10f6da5c229ef867cfb84bce21727dee

SHA256
25c4af6594b7cc35721003af0c632318ab43197214ad7ccb80a466e428d3bc16

SHA512
d4199e85c5de6eaf53953752da8b6476fcbfe3c3ec1c6fae85bbf20ef4a43593c83d83c9d9295cfb7762f9b156e41d88020cb918dae6dc9ceda61e70fffabe03

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
5bdeddfca2904e8bcaff84d684d875bc

SHA1
d518e72efa09b69739a779f6fbcc30c0b64b47ef

SHA256
f3af3a771c1a0367ed565365b4fb9fc311c8616af87b2b4ec36225ee2a6d0e4e

SHA512
1574adc0cd7df6b3d261a9d7152185f132d3b80bbb3918547f1d17897644a8fdc849b6479b883e1ed2df93c3ef82b10ba30193c902943da367ca9fe8f470180c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
7ffdf2d207a46cd33a6c5dbf56276df0

SHA1
5d7c76bd1fefd9b9a145d89b90b65506f4d69627

SHA256
84776226649c4e75f1fbaf9bf0d4ce17be6b31204fb8a79eada709f33ff2d7aa

SHA512
e1ab2aa7854375c4edab3ba79a567544c4b9cf169d2a7b86dcfe17c2ea60131bc2a15c75a88766f789abbb1f2fc9a9ee4f62facc9fbc705e981c9bdd6b39d198

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
83b1a10cfde21a04066fb15559d1f34f

SHA1
4c840aaeb5cc25d96db4403d9695b2b7b021128f

SHA256
d3357bb31e5320be347ad8d50511cd93c8c61e59911701daae4e3893a4d132d0

SHA512
b03e8c2a7f6ba695d9eec6621856ec434571a974e1ce67124a84f01e792ee1e6c6deedfbe550c8cc3ddda25a3044f758bf480ecf658251534b6fc7924060a5f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
c43a2f83b604539f64bb30cb5a418189

SHA1
659c36e68fb9315586916ca1851c5c9fd75a2018

SHA256
f27b5eaf2eeccbc130abbbc07d87e5c28ab82479b6f9deb38718f4a76f848622

SHA512
d8e0f784780cb7f2f03a5b955ef03b947e7c701a749a203d34cb34ce669ae2cd2efaf2ad533fb75ae8f561b21bb7c02266c7f6c8fd557ac27041652435459c24

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b4a67c7f040fbd53756c579aaec581c2

SHA1
e8efcfd06f48f6e50632fd091764c151e1a91599

SHA256
0254a14a82e48c923d4bb01fa178fc8712b2a14b0a39fb22d61d1ff6a953eae6

SHA512
88a091bfb81fd9efc742bbd0b8c5a27333139673df9f39bda75bcdc58cf13738ac5a5feb23ddff1f0d5e82f6f24532817b54d2e7b6773d5699a485e00c407bae

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
1f63838424e07d0bc94c5c58bb089235

SHA1
41e31ac5fd51bc52875fc04a7ba384d81340f6dc

SHA256
91650d5609b686c957613ed79328b7a6cb7e087d35a4cc1e6c10a54abf490c08

SHA512
0060895385e000777fe0fb0e624e30257f596464e7ae30788babd5a2e38436a50ecd7d75fa527a19f18de42c916398d060faf226eefd9b1f1164cf57c735ce0a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\cfdc1157df8f25a.bin

Filesize
12KB

MD5
e9f6b559b0a132b4c0d11a1711a4559e

SHA1
7d3ac8c30a8a369670a58a07ad11519a52964d8c

SHA256
f02f56396ff611feb9cddc42a46e55b8e74ebd6c25322854fc056bc9af5a783c

SHA512
60d06d43738c2ce9c5d1125b926ce5aaa54e56b115d49fb63d87df482eef637dfa969d4936f14fbe219b40734e7d2e846c254114320a3850ec2de24630588d24

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
2a1e328a84d4d7ccf0d53c2ebbb6368d

SHA1
18532c5391dfcabafae2481ab03d9d60ff7b72a5

SHA256
5710c21b98cbc04b81b3af9a9b9c137381207b783a38161baacb1df4d7e1e5ad

SHA512
42a3b548aa7dedf4c57827c25c7bedeba62fb3b50fd53cf1cf68bb127a9e02a7087d511fdc0fa3bf35fab9a1db0567b77728a4442670f2596ea43c9b0456e8fc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
0a95d7a8ace297e423225c17ba60603a

SHA1
512dbc61e3e2eb24021147970da3797a941b4107

SHA256
bdf734da67d4eeb443040861ea54da34cd6654add5b351355550857902aad916

SHA512
79c5b57c26796bf55443fc07904e07a49625075040aea8b607e8ba9fcfbf2a1087230889bde4d16a1f186f3cace0a34ddd4e900cc75da1c64fa5ca57388e325d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
25f537164c9e420ef207b57b91e33553

SHA1
9c0350fc54795e8ab58a79000244c9c8ea440e19

SHA256
b3b1e136d202f46a4ab50f10c2fbb90fb9c6445799d3771dabd263130c8e7439

SHA512
27afc25354a3c08b3fa0927682cdaf1a4af2c6891d741198aeec9ee5e3b16f7940f49b36e11e84c773b9c70cfc56335cc10be9d2e789afab95f5147ab03f287b

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
e103e96f2f7f683b7afb5c145779ff10

SHA1
fc71b31505727b9de7866b1be6efd84e1080884a

SHA256
c1233d7152793e551367bb5faf33535b757738b315436bc9ee86e9744742de56

SHA512
0399fcc849a0c08a7bd627da3b4ca22556fe70b1c9580987a9eff368939fefa31e61a874e78dd39294bc20ff64732dc4d1f621744ddaee9f33defb26adef3a02

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
77901eaa6be232f55510396e6d184436

SHA1
018f6492c3d14d12665aea3ff1cd846797181064

SHA256
baa80771d837eb3e215dcaaf739071c6f394d9c3d8f46e403fa0c57494b74495

SHA512
2a9efce8627cb766f8d6023ed322133a23b228602edcdc73d95e0fb77d575c2d4cc49406e34e2f989d46fade5d1cdce0067918fd4b66d1ded58db3c0169d95a4

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
18dcb9f7188979e7bce32cd7b602fba4

SHA1
ba42e2da554820c4bf509076a5cc49addb14161a

SHA256
d97ca22ebeaccf3b9612ed2039509cf85611a3adf41292528211aa56737f20fb

SHA512
ba9ae9c8171848d741ab908059d9289c1e81f0dec45b1c93dfedd47e58e1cdec149124253c186e0cec2035b4be5d88b64a285bf88d66b792ac9eb0d8a03f7803

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
5145d8a7c4d439f5bf771c50ae0763ae

SHA1
26f09553117cfa4b326f9c6906dce590a8668b06

SHA256
6de7846f3389e2e82914c077ed7383cd01b04f30ea900f63e31415f7e0b4ff00

SHA512
051e75eac89c88e335da8b12f2ad7e56f8a0f5fe2de4a4695a7afef67a371851a5921468de2896852962c87a98e7f795adeac141493bae20656094d8187951f5

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
692c017aaa7baf1f1a2de70291302d8d

SHA1
3e0ca46de80ba5e54144e96a4ef24ad1b7bc63d8

SHA256
060a1563bb8ec9f1ec2fd16f42aa40217b105201c3d52b6dda85420fea89ff5e

SHA512
5d7e424bdef24ef41215836aa73d389cb304e3da8fa8219a82f6216b8f35e3f63a0f8e12a46faaa4798df4ec568c37ee07306ae02e448372331b18e67e83517c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d37b4838d0f83e30b7755c7f51b2ed86

SHA1
d373f755b5bd951edb0680b15d4878072160190d

SHA256
23415d75b2cf48e4546b71906f119428e0bcb4cb2ed5df2c7bdc434a8c6eadc5

SHA512
d9d18e71b200d98f55c4c33e295d46f70024a50051037c787e52afdd78c193fdeb4d1e0e59e373a59796209aa833cbc6eeb256873e76eefbce9bce2942ce33ce

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
dc9505b8d4e32719303703ba4420d9ae

SHA1
db6388c57de6c024435b350a2a90105997c014a0

SHA256
c1314e4cf64a52d26889aab65c02cbd32fb2cde44388b3ea92312c5fc10f806d

SHA512
8f6f4caa24c7a2b150ead7e5fa75c51f31ccb1b505f5e8e4721d94926c1b8378613e774378326d29c7e11f692ac3324e9cacf642bd973901039308e4c8d320a5

Download Submit
memory/576-341-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/864-456-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/864-527-0x0000000072530000-0x0000000072C1E000-memory.dmp

Filesize
6.9MB

Download
memory/864-464-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1144-344-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1144-329-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1144-332-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1144-346-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1328-172-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1328-152-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1328-339-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1328-146-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1328-144-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1328-169-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1328-168-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1328-304-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1360-257-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1360-121-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/1360-116-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/1360-115-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1740-359-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/1740-302-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/1740-272-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/1740-454-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/1740-270-0x000007FEF3DF0000-0x000007FEF478D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-275-0x000007FEF3DF0000-0x000007FEF478D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-357-0x000007FEF3DF0000-0x000007FEF478D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-277-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2080-264-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2080-271-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2204-326-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2204-377-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2204-333-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-378-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2204-327-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2204-465-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-348-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2236-182-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2236-176-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2236-175-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2308-166-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2308-330-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2308-158-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2308-159-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2308-511-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2308-510-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2308-167-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2380-143-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2380-259-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2380-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2380-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2380-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2380-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2408-276-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2436-303-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2436-325-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-289-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2436-347-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2436-463-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-284-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2436-340-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2492-286-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2492-366-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2492-300-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2492-305-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2580-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2580-157-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2688-89-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2688-140-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2688-95-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2688-88-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2724-124-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2724-104-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2768-130-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2768-285-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2852-362-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2852-361-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2852-353-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2940-80-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2940-165-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download