cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
Size

625KB
MD5

a833081033be25dab5419209fd333d4e
SHA1

5f26f29c8ad182ed70fefe3144e0ab1a797f1a50
SHA256

cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82
SHA512

51b481c0b690b05b71465af526c702c394486e0bd538c06420ffbaf5180ef3ca870c407957c055b45bcd3fe864fae6a3171dbf9048ca73c286cea620ab11e1a4
SSDEEP

12288:z2SGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhn:C1t/sBlDqgZQd6XKtiMJYiPUn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2568	alg.exe
2668	aspnet_state.exe
2480	mscorsvw.exe
2016	mscorsvw.exe
2832	mscorsvw.exe
1636	mscorsvw.exe
1052	ehRecvr.exe
320	ehsched.exe
1832	elevation_service.exe
1532	dllhost.exe
1616	GROOVE.EXE
1756	maintenanceservice.exe
1576	mscorsvw.exe
2860	OSE.EXE
312	OSPPSVC.EXE
2504	mscorsvw.exe
2036	mscorsvw.exe
2632	mscorsvw.exe
1268	mscorsvw.exe
2776	mscorsvw.exe
1368	mscorsvw.exe
1952	mscorsvw.exe
2364	mscorsvw.exe
2696	mscorsvw.exe
1284	mscorsvw.exe
1488	mscorsvw.exe
2188	mscorsvw.exe
2796	mscorsvw.exe
1596	mscorsvw.exe
1680	mscorsvw.exe
1856	mscorsvw.exe
2800	mscorsvw.exe
796	mscorsvw.exe
2252	mscorsvw.exe
2484	mscorsvw.exe
1492	mscorsvw.exe
2220	mscorsvw.exe
2312	mscorsvw.exe
696	mscorsvw.exe
2948	msdtc.exe
1292	msiexec.exe
1104	perfhost.exe
2252	locator.exe
2856	snmptrap.exe
1740	vds.exe
584	vssvc.exe
3048	wbengine.exe
1768	WmiApSrv.exe
904	wmpnetwk.exe
2176	SearchIndexer.exe
784	mscorsvw.exe
2148	mscorsvw.exe
2836	mscorsvw.exe
296	mscorsvw.exe
1716	mscorsvw.exe
1760	mscorsvw.exe
2512	mscorsvw.exe
1580	mscorsvw.exe
2788	mscorsvw.exe
1620	mscorsvw.exe
1756	mscorsvw.exe
1736	mscorsvw.exe
1120	mscorsvw.exe

Loads dropped DLL 28 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1292	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
748	Process not Found
1716	mscorsvw.exe
1716	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
1756	mscorsvw.exe
1756	mscorsvw.exe
1120	mscorsvw.exe
1120	mscorsvw.exe
840	mscorsvw.exe
840	mscorsvw.exe
884	mscorsvw.exe
884	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b741d4369a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{89C4F14B-4003-4E4F-9969-A2103971EDD4}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8CE4.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E71.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP72CF.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{04563BBD-C5F7-45CD-B2D9-8C689E46FB79}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA14E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E73.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{FCC370EF-8AD4-4CB7-8710-1926BFFDF410}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1404	ehRec.exe
2668	aspnet_state.exe
2668	aspnet_state.exe
2668	aspnet_state.exe
2668	aspnet_state.exe
2668	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1704	cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: 33	2124	EhTray.exe
Token: SeIncBasePriorityPrivilege	2124	EhTray.exe
Token: SeDebugPrivilege	1404	ehRec.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: 33	2124	EhTray.exe
Token: SeIncBasePriorityPrivilege	2124	EhTray.exe
Token: SeDebugPrivilege	2568	alg.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2668	aspnet_state.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeSecurityPrivilege	1292	msiexec.exe
Token: SeBackupPrivilege	584	vssvc.exe
Token: SeRestorePrivilege	584	vssvc.exe
Token: SeAuditPrivilege	584	vssvc.exe
Token: SeBackupPrivilege	3048	wbengine.exe
Token: SeRestorePrivilege	3048	wbengine.exe
Token: SeSecurityPrivilege	3048	wbengine.exe
Token: SeDebugPrivilege	2668	aspnet_state.exe
Token: SeManageVolumePrivilege	2176	SearchIndexer.exe
Token: 33	2176	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2176	SearchIndexer.exe
Token: 33	904	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	904	wmpnetwk.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2124	EhTray.exe
2124	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2124	EhTray.exe
2124	EhTray.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2364	SearchProtocolHost.exe
2364	SearchProtocolHost.exe
2364	SearchProtocolHost.exe
2364	SearchProtocolHost.exe
2364	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe
572	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1576	2832	mscorsvw.exe	42
PID 2832 wrote to memory of 1576	2832	mscorsvw.exe	42
PID 2832 wrote to memory of 1576	2832	mscorsvw.exe	42
PID 2832 wrote to memory of 1576	2832	mscorsvw.exe	42
PID 2832 wrote to memory of 2504	2832	mscorsvw.exe	45
PID 2832 wrote to memory of 2504	2832	mscorsvw.exe	45
PID 2832 wrote to memory of 2504	2832	mscorsvw.exe	45
PID 2832 wrote to memory of 2504	2832	mscorsvw.exe	45
PID 2832 wrote to memory of 2036	2832	mscorsvw.exe	46
PID 2832 wrote to memory of 2036	2832	mscorsvw.exe	46
PID 2832 wrote to memory of 2036	2832	mscorsvw.exe	46
PID 2832 wrote to memory of 2036	2832	mscorsvw.exe	46
PID 2832 wrote to memory of 2632	2832	mscorsvw.exe	47
PID 2832 wrote to memory of 2632	2832	mscorsvw.exe	47
PID 2832 wrote to memory of 2632	2832	mscorsvw.exe	47
PID 2832 wrote to memory of 2632	2832	mscorsvw.exe	47
PID 2832 wrote to memory of 1268	2832	mscorsvw.exe	48
PID 2832 wrote to memory of 1268	2832	mscorsvw.exe	48
PID 2832 wrote to memory of 1268	2832	mscorsvw.exe	48
PID 2832 wrote to memory of 1268	2832	mscorsvw.exe	48
PID 2832 wrote to memory of 2776	2832	mscorsvw.exe	49
PID 2832 wrote to memory of 2776	2832	mscorsvw.exe	49
PID 2832 wrote to memory of 2776	2832	mscorsvw.exe	49
PID 2832 wrote to memory of 2776	2832	mscorsvw.exe	49
PID 2832 wrote to memory of 1368	2832	mscorsvw.exe	50
PID 2832 wrote to memory of 1368	2832	mscorsvw.exe	50
PID 2832 wrote to memory of 1368	2832	mscorsvw.exe	50
PID 2832 wrote to memory of 1368	2832	mscorsvw.exe	50
PID 2832 wrote to memory of 1952	2832	mscorsvw.exe	51
PID 2832 wrote to memory of 1952	2832	mscorsvw.exe	51
PID 2832 wrote to memory of 1952	2832	mscorsvw.exe	51
PID 2832 wrote to memory of 1952	2832	mscorsvw.exe	51
PID 2832 wrote to memory of 2364	2832	mscorsvw.exe	52
PID 2832 wrote to memory of 2364	2832	mscorsvw.exe	52
PID 2832 wrote to memory of 2364	2832	mscorsvw.exe	52
PID 2832 wrote to memory of 2364	2832	mscorsvw.exe	52
PID 2832 wrote to memory of 2696	2832	mscorsvw.exe	53
PID 2832 wrote to memory of 2696	2832	mscorsvw.exe	53
PID 2832 wrote to memory of 2696	2832	mscorsvw.exe	53
PID 2832 wrote to memory of 2696	2832	mscorsvw.exe	53
PID 2832 wrote to memory of 1284	2832	mscorsvw.exe	54
PID 2832 wrote to memory of 1284	2832	mscorsvw.exe	54
PID 2832 wrote to memory of 1284	2832	mscorsvw.exe	54
PID 2832 wrote to memory of 1284	2832	mscorsvw.exe	54
PID 2832 wrote to memory of 1488	2832	mscorsvw.exe	57
PID 2832 wrote to memory of 1488	2832	mscorsvw.exe	57
PID 2832 wrote to memory of 1488	2832	mscorsvw.exe	57
PID 2832 wrote to memory of 1488	2832	mscorsvw.exe	57
PID 2832 wrote to memory of 2188	2832	mscorsvw.exe	58
PID 2832 wrote to memory of 2188	2832	mscorsvw.exe	58
PID 2832 wrote to memory of 2188	2832	mscorsvw.exe	58
PID 2832 wrote to memory of 2188	2832	mscorsvw.exe	58
PID 2832 wrote to memory of 2796	2832	mscorsvw.exe	59
PID 2832 wrote to memory of 2796	2832	mscorsvw.exe	59
PID 2832 wrote to memory of 2796	2832	mscorsvw.exe	59
PID 2832 wrote to memory of 2796	2832	mscorsvw.exe	59
PID 2832 wrote to memory of 1596	2832	mscorsvw.exe	60
PID 2832 wrote to memory of 1596	2832	mscorsvw.exe	60
PID 2832 wrote to memory of 1596	2832	mscorsvw.exe	60
PID 2832 wrote to memory of 1596	2832	mscorsvw.exe	60
PID 2832 wrote to memory of 1680	2832	mscorsvw.exe	61
PID 2832 wrote to memory of 1680	2832	mscorsvw.exe	61
PID 2832 wrote to memory of 1680	2832	mscorsvw.exe	61
PID 2832 wrote to memory of 1680	2832	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
"C:\Users\Admin\AppData\Local\Temp\cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2480

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d8 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 288 -NGENProcess 29c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a0 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 280 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 270 -NGENProcess 290 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 220 -NGENProcess 1f8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 284 -NGENProcess 11c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 240 -NGENProcess 220 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 248 -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 240 -NGENProcess 1c4 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c4 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 240 -NGENProcess 1d0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1c4 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 290 -NGENProcess 1d0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1d0 -NGENProcess 290 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 224 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 258 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 290 -NGENProcess 2b0 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:696

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1052

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:320

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1532

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1756

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2860

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:312

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2176
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2364
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1880
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
e1a4f563ed792ba68d665ed34744d946

SHA1
73d985bef679ffd38ca797972e81c0a67204149a

SHA256
156e8b6805b3a37af83ed2494d43535f3c8e28379b3dbd5d6612530ed22bf3c0

SHA512
dfe190685486fe381d7b783e6b1f35ed4989556d43af127897720a29655a74101e8dc2d78b94af7fe5143a188917117fdae03c1546f5b9de1a0136cc0f51dc4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
30fbd54d02ad3047b707afb0dea6abaa

SHA1
5d8a872d9fe7db9f34a78916606eb54d646b0c39

SHA256
808cb2458f9aee3fa0e2d7eb147d4220403602a507a29d1b0640141c5c4589e5

SHA512
2c4d6248c7552a60f57f654afe3c0c66fc7dff402e15ff2d3543beb5e308606a4edf531d4cec55a6467f076aa84e7ef27c52d4ca56c432719b8addd069f26424

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b004e721131bf2e3495f6e347dc14f8b

SHA1
cd0966b20a878bb67c7520ea3003370a3ec5a592

SHA256
5ed0ef34099603da0ee748fb498e9427eb4a7cb7359fe60249f4ad3f50560ec6

SHA512
6ad3cba73d7d6771e3f1402b9612b62a2089e1d4c84acd6ea2a9586adc5b8c665da62335b6a730341b0bce90c0c6b5e22e5e4b5fc97337e27a76c72a4c6c0600

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
12a2ea8e990189ac625dcb1c1cb6e626

SHA1
975e7e7fd5714a31bc8470ea1749561539c5403c

SHA256
34bcc6958b545d6b8ff5f474fdbb0985d7e924ba0c213cb68ea075561090399e

SHA512
a8c51248685b29ca934476e78213b622546c5ca346fd9603a997daae3bff6f86ed6fd4b6628fd0636c44fc1629a736d0b029382d49f6052409276018d0dd7a3b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
86635603133ae0f0885a5688020ef349

SHA1
094c3e73862afb7936e1daa6cc6a83556be83d0a

SHA256
8a21e88b5fd6f8624a8f14d6372476aa953a122231284d457dca3d18e8546d68

SHA512
ccabcccd7b7334dc184455b8ab545074424215e2181b487e2826513f2fc5771625eff15a3f46e307c26e5ca14b97064bc2635cf78ba9e400a6d75c6f6334b2ee

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
306cf7db2eebcd7be9b175969e55da5f

SHA1
a094c8065c54f05c3c838df4f93d4b102a071186

SHA256
a934c4fe9b77e4f16ac9722e7b47694e82a86f6b904ea3217754f017d9478d40

SHA512
cecef8fa7655e9ad4a32686eb8a397e1c5edad8708c1e4171367fc53e26d69dd1b79400085a568b29db2b6b389ae20f2e67b71f5708c72c04351148bea593110

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
d0b587f15404ae188b300374e10724d9

SHA1
fd0f45a56eba805ff3868cbe8008b3d081e225ae

SHA256
2c41d936136ace65493fd5b57645c52451fea8c8b577832ec5361df90d75b187

SHA512
661e3ef582f7dcc20af8c045598dc00f200b3b3c21ff3776a95d71e58d48b707bec638067577d0c24cc41727b9dd2a21d61428ae0735caea12e8eb6c2e7662a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
a00de6ee1ac2298857ff7be530c61957

SHA1
1c46d343087291ee1635cec23558a173359f514b

SHA256
3fd45fa955d1b4f75c1d9295a7c98bd42ffa41df16a1c4b820e2ba72ff656712

SHA512
eeac17cd70591b28e538f6f1a9cfb9d02838e3781919602d05270e4cf4dfad08a0b28e7f4263abca129ad1fcd79992b55d19cb25e3dd8738ea651af4de6422ec

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b783307e1b7e36c122ce1df773f02503

SHA1
7577baa18d2c31da3679d80b0934f592596fb84f

SHA256
58847866a2f46e5c0e0cab1f35961ff9a416e0caac6d4777703e19642a7d4fde

SHA512
fa7f04c70cab4a2d8cdd55811b40c1e9b0fc89cd377c6009321489400b65173548c7d9c1ce6d4027693b9436d7b7bbde487a5d0253583ec942af83269eee1107

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
d69f1ac5c065c6c8bd28034796d92b40

SHA1
f62747aa7a39d9bb62ad337633a763c554b0e634

SHA256
a9093061c933b6f3da6e1319f7f96517f518dd7268da685026f8cc6459ec6f9a

SHA512
1d5f1dd2c5a2035bdb0d4cf8e98aa8a35094ed7c18664a2014d174edd9644b60e3c60962d58331783064a6834b257cabd884f746a318726daa65d2ebad12e45c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c70513760d0bb128cb68dff38ba2b83e

SHA1
10bcc5eac247c8696ef739c871bb6b3eed668c38

SHA256
b8c5a2f4de8d74d86c1784a0c80b8e47e63bd4144282e86ef7b386622b74c7dd

SHA512
2bfc3d4f9cd5f3c62a43c80e51c1ed6d2c9a4450fb84d97644870d5ecf58ba602ce94260831083784c3b5f545c8d6e8ad0c83600b08853c71fbde5da5b606681

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
fe30f6e6bca3bf68f7394798870c82a4

SHA1
c7eda819cc21621d83932534184677790da3d5b4

SHA256
4a40f09e538a3d1de85f4e7ffd46809f8846992ae9a476c3f84cd2d7f100a0e7

SHA512
d85db7e750063f3f3276f03b97b01909eaf4aea95a3988e6b047f8b795cb5dc5fd6214951331969a71c9af1a0d92dda9f72d3dced7d6c935db3beb54c4fdb2eb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
674KB

MD5
63c639630b728f4c86ca73af902a4c70

SHA1
f54b308005bebf54bc19e02efe4a6de6687c150c

SHA256
fb0010138075f01d71418b1a2630131e5c52ac57ca880ad20042ed188f89cb94

SHA512
4456a89e5d373025c29010d5df3f743c406b3608a0aff1926b347679a7c53e331c503ac3c3ee19de292c37e62df2d97e7f3ce437d1bc9bb94c61c5aec062ea16

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
1207a447716c7ec5ef99d996fe3f6489

SHA1
302c32c0d40273d0a56e47c804d7c93b9a4ae63b

SHA256
1b92e45f9b9b6223e45c4972aaef296e318314187a6ee0c9af1f5565947189e0

SHA512
cff0d809c81f410cc9c3c7a5b1ba92bc179f04bd135918a4710ef1429c584b26936fef9c7a7b0ab92799b10ef6d865571881307ac00650f1b887033afdb6a0f5

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
edb63790bcfb1c297e406a27b2db997e

SHA1
daeeef83643e2cb27c626f056f5c5bb66e6877f3

SHA256
225aad1ea58e3ba48448f1077ff9adbbb726ce2863590869d4b7d724dd86b14d

SHA512
a332f9429da3296960ba41d333f83af755c21b2d762016b96c3f144995880c3747e378001368f227b9d6d9bb4d7411e5003270123db50b9f651fd8e4b0ea2c81

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
1586ffe1cbf872c57fe0aa93e2360b1d

SHA1
b1945b28efdbd5f168b5301241c55509ba98fdbe

SHA256
100b7230336885ba275da66c9a5413c93be53b01cc16fcf28e369d69c4a89405

SHA512
9f9b19ac21f3a5d43afe9879f169f200ef66f1dd2536a6c5805852a97fee1d5a966993d8a61650cc36a5c1083e4c415b92b5227fb05ecd5c5e885aace5b8633b

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
256653d8d960d8708604f365569b22a5

SHA1
5ba2b4ad4ff1aacb7cc4773292a5abd1d628c3a7

SHA256
a4d107b8ca7c132e7820a31cb80c6b680d922a12a0e81b97481054b4a63d76d5

SHA512
64eff06cac995278055fcbba2d6c84bae3585382a765f315fd4819ad3b40e0881037a0b702f07e3f7f748c252444bee0fcb7c4950cc0f64be0faab0fc57d395f

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
6ad5ecf3d9e8995835d84ec85f077a13

SHA1
432e928feb0047ecb44f922ef84d336eb66b286b

SHA256
9c97478e83023b1bde5fad8f0613775fd7fd2a1b504a64baf403c3e60c916e65

SHA512
164b2f8ba656842954c06ca21b5c444779f9b57e27de92ae8e1bfccecdfc756e67441e2c20e27ca3268f49c9a19b1db15eacb593f65995d3ca93e0298e4ae275

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
58c1359d5484b84b38cc1eb086cdfa0e

SHA1
61f4a1d4a6f92b5614eced2f62eb2d31cc2a25a9

SHA256
4fd3cf6218ddcd738ff1c77c85880430aba88c97315f005c753da042c1bedef8

SHA512
8934bd47010712bf63cedcb4ec275b67b63a33ef13955a7ddad42dc6816ba39b57ec6a8d9e68ddd3b4ce25401832466db983ff0f49ba1a9a610a265823f85bbd

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
a7a580f795070feb988d31a90b553ab6

SHA1
edbf1b6f7aadc099fdec1fbb29da0753bf385d62

SHA256
383b41a226319b0beb941f7044b093535bf20bcaa49d58e23867400e9f2cfca0

SHA512
c2a8daa7fc398ce3d4d87066ed2b289916206c01df50aefddfb8be3ff1bd50f0fe8017b97d74250e746ed4318b9c455a0f6307321aebaf48e8422ead3eefb649

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
e72f3f3d20872a648718b3dfbdab402c

SHA1
9456f9d999154f0301bdd6248d2f66efb2908bf1

SHA256
dd7c496737b1b8a05880a3b2b4ec679b9223d96e80ffec3e1032a0c8ad45133f

SHA512
468756a390495b2b77fbd5c8ab51eec3af427125583d63edd1bb494712632876802f73b745c7de5aca494ad509ed4ce513433a18318e2b9ad38bff9fcb6b065b

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
3a3774eae21cb7b39ab7686e89db4629

SHA1
a3c46f31c6fdfebfafab13be4d7872ed4c4c5a06

SHA256
421508ca90c523524d08fd4d9bdc2b6ef5711abb93cd931fd75d8ca7be4fa83c

SHA512
8682631bab1bac7bfd8ef87c157f9b00b38ce00461249254d7d94c7e5dcd943bd94d04d0e060eb0dcc49b09cd38edac5d6918084e8a7656b453041ea71919688

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
084acff9c6da21b563e71e80dcb4033d

SHA1
6ae7ccd20f5f1b831bd437727a7326bf900a2b8a

SHA256
7d5ee9639df1cce0f622c398821d24637606c1d669adaab5b36e769ebbe1e629

SHA512
419350f505308cc44137d8725ddad2f8affaec7ac9fa7a6ef5502b7303ac8c9e83ea916cc855fa3bf77703c820895a58bc6b4196fc5c01eddb1e15cc99d6873a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
9172f2567d58dbae217fb7867b75b8d6

SHA1
408214aaa379eda5ad1321ab252d25dfdc0624ae

SHA256
f7309832f0792e190da9ecff1c7258b863f3e88ba32764a195cbdd06f4c611eb

SHA512
e735ef312574244b4b3f5385080a995ba08bec924238a48c50c3b4c6abd6216f47a350f345068b5cfda2b679978b6e636c4c44892be124921ffd0b68b6f7d3b1

Download Submit
memory/312-250-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/312-251-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/312-283-0x0000000072378000-0x000000007238D000-memory.dmp

Filesize
84KB

Download
memory/320-184-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/320-135-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/320-127-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1052-111-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1052-119-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1052-112-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1052-178-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1052-202-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1052-140-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1404-166-0x0000000000D50000-0x0000000000DD0000-memory.dmp

Filesize
512KB

Download
memory/1404-268-0x0000000000D50000-0x0000000000DD0000-memory.dmp

Filesize
512KB

Download
memory/1404-230-0x000007FEF44E0000-0x000007FEF4E7D000-memory.dmp

Filesize
9.6MB

Download
memory/1404-207-0x0000000000D50000-0x0000000000DD0000-memory.dmp

Filesize
512KB

Download
memory/1404-220-0x000007FEF44E0000-0x000007FEF4E7D000-memory.dmp

Filesize
9.6MB

Download
memory/1404-222-0x0000000000D50000-0x0000000000DD0000-memory.dmp

Filesize
512KB

Download
memory/1404-165-0x000007FEF44E0000-0x000007FEF4E7D000-memory.dmp

Filesize
9.6MB

Download
memory/1404-258-0x0000000000D50000-0x0000000000DD0000-memory.dmp

Filesize
512KB

Download
memory/1404-172-0x000007FEF44E0000-0x000007FEF4E7D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-168-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1532-226-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1532-174-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1576-263-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1576-265-0x0000000073D90000-0x000000007447E000-memory.dmp

Filesize
6.9MB

Download
memory/1576-213-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1576-224-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/1576-249-0x0000000073D90000-0x000000007447E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-191-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1616-193-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1616-234-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1636-91-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1636-170-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1636-92-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1636-99-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1704-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1704-6-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1704-7-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1704-70-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1704-1-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1704-157-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1756-238-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1756-205-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1756-196-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1756-239-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1832-206-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1832-152-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1832-143-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2016-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2016-55-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2016-124-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2016-62-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2036-297-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2480-44-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2480-45-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2480-85-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2480-38-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2480-39-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2504-269-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2504-286-0x0000000073D90000-0x000000007447E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2568-14-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2568-21-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2568-20-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2568-90-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2668-34-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2668-110-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2668-28-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2668-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2832-151-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2832-71-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2832-72-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2832-78-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2860-228-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2860-232-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2860-292-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download