e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 12:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
Size

1.8MB
MD5

69a90ef135d5f5c9887bbf6416981236
SHA1

4d4b47289496019013629a43c5560f23c9977d8d
SHA256

e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60
SHA512

ea951fe4042fcf423d06b9146bce798765d327b51fb5417f5d88aafbdaf9c92d4036daf44ea78f08641fba2e93cb7e0df13e50aae76b0340bb5993b5248141e3
SSDEEP

24576:oXGoPM9jkPd17jwfYl7jy0hslMQwKQnjr51uTiZxv879kENIdLwN4ZASFJLeOPz:eM9QPdxwfE7WlFwKAfzuTiDFUFkpnh

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 43 IoCs

pid	Process
480	Process not Found
2596	alg.exe
2464	aspnet_state.exe
280	mscorsvw.exe
1468	mscorsvw.exe
2364	mscorsvw.exe
1364	mscorsvw.exe
2088	ehRecvr.exe
1416	ehsched.exe
452	elevation_service.exe
1672	IEEtwCollector.exe
2356	GROOVE.EXE
2492	maintenanceservice.exe
2712	msdtc.exe
2456	msiexec.exe
2636	OSE.EXE
2132	OSPPSVC.EXE
280	perfhost.exe
1264	locator.exe
2320	snmptrap.exe
3008	vds.exe
2984	vssvc.exe
2972	wbengine.exe
2752	WmiApSrv.exe
324	dllhost.exe
1184	mscorsvw.exe
1632	mscorsvw.exe
2644	mscorsvw.exe
1008	mscorsvw.exe
2824	mscorsvw.exe
3068	mscorsvw.exe
1504	mscorsvw.exe
2620	mscorsvw.exe
1644	mscorsvw.exe
384	mscorsvw.exe
844	mscorsvw.exe
2024	mscorsvw.exe
408	mscorsvw.exe
1724	mscorsvw.exe
1892	wmpnetwk.exe
2764	SearchIndexer.exe
1692	mscorsvw.exe
2280	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2456	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
760	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e14b17413d2ec148.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_pt-PT.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_ur.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_am.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_te.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_ko.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_de.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\GoogleUpdateCore.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_hi.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\GoogleUpdateOnDemand.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_ru.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_uk.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT118F.tmp	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\GoogleCrashHandler.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File created	C:\Program Files (x86)\Google\Temp\GUM118E.tmp\goopdateres_hr.dll	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5DC5ADD4-8CD7-4A16-81A5-27AB2FD4C3F1}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{5DC5ADD4-8CD7-4A16-81A5-27AB2FD4C3F1}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1704	ehRec.exe
2464	aspnet_state.exe
2464	aspnet_state.exe
2464	aspnet_state.exe
2464	aspnet_state.exe
2464	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2808	e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: 33	836	EhTray.exe
Token: SeIncBasePriorityPrivilege	836	EhTray.exe
Token: SeDebugPrivilege	1704	ehRec.exe
Token: 33	836	EhTray.exe
Token: SeIncBasePriorityPrivilege	836	EhTray.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeTakeOwnershipPrivilege	2456	msiexec.exe
Token: SeSecurityPrivilege	2456	msiexec.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeBackupPrivilege	2984	vssvc.exe
Token: SeRestorePrivilege	2984	vssvc.exe
Token: SeAuditPrivilege	2984	vssvc.exe
Token: SeBackupPrivilege	2972	wbengine.exe
Token: SeRestorePrivilege	2972	wbengine.exe
Token: SeSecurityPrivilege	2972	wbengine.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	2364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeDebugPrivilege	2596	alg.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2464	aspnet_state.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeDebugPrivilege	2464	aspnet_state.exe
Token: 33	1892	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1892	wmpnetwk.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeManageVolumePrivilege	2764	SearchIndexer.exe
Token: 33	2764	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2764	SearchIndexer.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe
Token: SeShutdownPrivilege	1364	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
836	EhTray.exe
836	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
836	EhTray.exe
836	EhTray.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
112	SearchProtocolHost.exe
112	SearchProtocolHost.exe
112	SearchProtocolHost.exe
112	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1184	1364	mscorsvw.exe	55
PID 1364 wrote to memory of 1184	1364	mscorsvw.exe	55
PID 1364 wrote to memory of 1184	1364	mscorsvw.exe	55
PID 1364 wrote to memory of 1632	1364	mscorsvw.exe	56
PID 1364 wrote to memory of 1632	1364	mscorsvw.exe	56
PID 1364 wrote to memory of 1632	1364	mscorsvw.exe	56
PID 2364 wrote to memory of 2644	2364	mscorsvw.exe	57
PID 2364 wrote to memory of 2644	2364	mscorsvw.exe	57
PID 2364 wrote to memory of 2644	2364	mscorsvw.exe	57
PID 2364 wrote to memory of 2644	2364	mscorsvw.exe	57
PID 2364 wrote to memory of 1008	2364	mscorsvw.exe	58
PID 2364 wrote to memory of 1008	2364	mscorsvw.exe	58
PID 2364 wrote to memory of 1008	2364	mscorsvw.exe	58
PID 2364 wrote to memory of 1008	2364	mscorsvw.exe	58
PID 2364 wrote to memory of 2824	2364	mscorsvw.exe	59
PID 2364 wrote to memory of 2824	2364	mscorsvw.exe	59
PID 2364 wrote to memory of 2824	2364	mscorsvw.exe	59
PID 2364 wrote to memory of 2824	2364	mscorsvw.exe	59
PID 2364 wrote to memory of 3068	2364	mscorsvw.exe	60
PID 2364 wrote to memory of 3068	2364	mscorsvw.exe	60
PID 2364 wrote to memory of 3068	2364	mscorsvw.exe	60
PID 2364 wrote to memory of 3068	2364	mscorsvw.exe	60
PID 2364 wrote to memory of 1504	2364	mscorsvw.exe	61
PID 2364 wrote to memory of 1504	2364	mscorsvw.exe	61
PID 2364 wrote to memory of 1504	2364	mscorsvw.exe	61
PID 2364 wrote to memory of 1504	2364	mscorsvw.exe	61
PID 2364 wrote to memory of 2620	2364	mscorsvw.exe	62
PID 2364 wrote to memory of 2620	2364	mscorsvw.exe	62
PID 2364 wrote to memory of 2620	2364	mscorsvw.exe	62
PID 2364 wrote to memory of 2620	2364	mscorsvw.exe	62
PID 2364 wrote to memory of 1644	2364	mscorsvw.exe	63
PID 2364 wrote to memory of 1644	2364	mscorsvw.exe	63
PID 2364 wrote to memory of 1644	2364	mscorsvw.exe	63
PID 2364 wrote to memory of 1644	2364	mscorsvw.exe	63
PID 2364 wrote to memory of 384	2364	mscorsvw.exe	65
PID 2364 wrote to memory of 384	2364	mscorsvw.exe	65
PID 2364 wrote to memory of 384	2364	mscorsvw.exe	65
PID 2364 wrote to memory of 384	2364	mscorsvw.exe	65
PID 2364 wrote to memory of 844	2364	mscorsvw.exe	66
PID 2364 wrote to memory of 844	2364	mscorsvw.exe	66
PID 2364 wrote to memory of 844	2364	mscorsvw.exe	66
PID 2364 wrote to memory of 844	2364	mscorsvw.exe	66
PID 2364 wrote to memory of 2024	2364	mscorsvw.exe	67
PID 2364 wrote to memory of 2024	2364	mscorsvw.exe	67
PID 2364 wrote to memory of 2024	2364	mscorsvw.exe	67
PID 2364 wrote to memory of 2024	2364	mscorsvw.exe	67
PID 2364 wrote to memory of 408	2364	mscorsvw.exe	68
PID 2364 wrote to memory of 408	2364	mscorsvw.exe	68
PID 2364 wrote to memory of 408	2364	mscorsvw.exe	68
PID 2364 wrote to memory of 408	2364	mscorsvw.exe	68
PID 2364 wrote to memory of 1724	2364	mscorsvw.exe	69
PID 2364 wrote to memory of 1724	2364	mscorsvw.exe	69
PID 2364 wrote to memory of 1724	2364	mscorsvw.exe	69
PID 2364 wrote to memory of 1724	2364	mscorsvw.exe	69
PID 2764 wrote to memory of 112	2764	SearchIndexer.exe	72
PID 2764 wrote to memory of 112	2764	SearchIndexer.exe	72
PID 2764 wrote to memory of 112	2764	SearchIndexer.exe	72
PID 2764 wrote to memory of 2460	2764	SearchIndexer.exe	73
PID 2764 wrote to memory of 2460	2764	SearchIndexer.exe	73
PID 2764 wrote to memory of 2460	2764	SearchIndexer.exe	73
PID 2364 wrote to memory of 1692	2364	mscorsvw.exe	74
PID 2364 wrote to memory of 1692	2364	mscorsvw.exe	74
PID 2364 wrote to memory of 1692	2364	mscorsvw.exe	74
PID 2364 wrote to memory of 1692	2364	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe
"C:\Users\Admin\AppData\Local\Temp\e53ff51304f094a0f326547784dc0804bd39f612e78a06bede9a2ab30ff1ee60.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:280

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 248 -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 258 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 244 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 1d0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 1e8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 1d0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1a4 -NGENProcess 274 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 274 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 258 -NGENProcess 290 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 118 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d0 -NGENProcess 294 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2088

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1672

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2356

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2636

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2132

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:324

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
51df6655e5b80662001c822b0e44303b

SHA1
d3618eaa34c699236cf9ae8c75d75e0434abd41e

SHA256
525ae5ea11eaff21b905e3242853eba3b1362c568b947cb857b41428903bb749

SHA512
b16af712f49336bc1efc5ddd554bb811eacd2bfbad90fdc47ce5654a35fae122f4f890a44ff6dcd1f76f270b799c33a04ebae7d4860ce68195b1ca06ab01918c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ec4262a9eb02bcafd90ae4417c2201e9

SHA1
28c267c3905e2f13cdf75de25fa9c711d3474567

SHA256
f46d6e84faf85616bb895300b410ec548456eaf537c8d7fa7b997a5ccd5f0700

SHA512
028c4a8072b901de969bf116335f725285338230aeb6d5f805b4a76d6de2591dfc64e530096daa0faf1561548b4ba73e982ede40ebc242649229928bd482b659

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
72dc5fe1146efdf17541b9b91ef149dd

SHA1
4700dd6324bf4406565639beb933b61d00ee9e19

SHA256
c27c209083ed37068be937caab47e78b3a6ac9fa50c0f81ea9824c0c2aa389dc

SHA512
bdc96ca1865d0467a9e2d60f50ba35dc1a35eee0d5c07d10b62f6cad80ca60ab62de1f013eda1a07cd9a133ca7fb2017653c20c4c08aee130790927635178a7a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f8c9f4d653ae358d5215c1097e556b92

SHA1
a43babc1424d166cb353c94593633e85df302142

SHA256
ffa090f02ddc9852b01b55055bd528248824bc810327e3fcfbb752dc1feb4cdc

SHA512
6ee469b29664cc8091ef2be68fba73379e6212b7266f32e83d2d3d9d950fe31ac71442c9bf4fa0af0167e8eba7a9dda490563c154f69b4db965a5b35400cae25

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ab9e69358417904367e2e3876bb5352d

SHA1
c751da835410a77066f924c711613636b6fc0f72

SHA256
0f492011de82e58f6f65a9769f1092670b93699ce1fefe09fe8e9d358bf15a2e

SHA512
b56cf009669067c1f6abe3285161c9ec125ab7bf7e56c07da70d923ae36834051691c9f8b53fb653d414fe2a7d70116d6e1430ad017accea983fcb56f5c7867d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
10b29ab6a20f00bfb34f115d114c9f3a

SHA1
12fe0187e6ad0382241bf272f4c876d5cfb84cda

SHA256
618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65

SHA512
8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
6df3cad5f7e78b484fc37d20b0a77c2d

SHA1
5baa8615f90a09f0e652f98870d9255e226627e3

SHA256
2176c726f7f0e259e57bc6d5a9a0b1cdc3a9f8696e813682a11494096ec5e5c6

SHA512
3195674b2eb7ca7b49e101956f7d24f0814e6b83d82172899668f9f314a5d1ea54921ca46de2814ec23cad73efcb97697502b9131adf47621c5b5ebb8559c1c2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8dfa8073e94752cbf092882a8beb3ad6

SHA1
51434d9e0dc7436bc73772ccb499bf7b3d152530

SHA256
dc590962c0149329ad1d823138cf58f1f71dac90615c442023fca32b66a366d1

SHA512
c9207fd76d9b7046ce497a8df080acbbc72be0252770f4d80dd50e615a1bd38a3f8e6187b8eddf0b8fa9c18409fd19ef6358071138aa69e26bc55370b378a3f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
b161da9a47ef39b1e2e8ff4080022842

SHA1
3b12144fa01fbaa48ac61d087799ef8b9d7d7aaf

SHA256
2c48c85897fd2983a6c6fbe8b9e8f9ae1798bd78942ca15df6a45484a870ea2c

SHA512
3b54498711518a20825fa3a9e176244a65c341b365ceea3501326b54e7f6584556b9a0d7908ff88f747aa45d00898aeb0e85be381ffb396f1f0a51c459831466

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
92901309c57c41ba61d6f55a99434cba

SHA1
edb3e463956710a3a074659d1ad34b8f41ca754a

SHA256
7dd84e81a3c6b72db6a95e399cc1e4971dbff9e0e51d000f7782c8ec19a605b1

SHA512
a9af7a6ed01c3463f1ccbc1d691c573e20c167c0f8b0ebf48397e4d25f95f6cec444decba1513cad1ab1ed751904479165373da5827519426c2bbffebc229606

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
108f2034613a4d57ef20527af89d04c2

SHA1
c12ab48fad4afb46e3a377d94b8650d167f1cd2b

SHA256
1bd8a8ad708db561ce82eb906196a5352c6c132f5f21177535bfd2bafd759e73

SHA512
55146a36157e71d3dffd69d156bb18b2ee642bf4adcbe0cb49e7174d3fe97738e3e7388e9f8abb39c38f1ce1bf06aba49ffceb6dd68f85d1cfbd391ea0651fe1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
81ecbbb732941f3a3169a826daa81fa2

SHA1
ef0ebd056379aefbfbffa330d218defb33e66119

SHA256
b19bbd0707221a9d2ccff25cab53b463be849a28a40ace23ee6d1e78d3107ff4

SHA512
21c3e651b8721b81d8bf7b5a1dd615afd9ef168fcc1803ee92250d8466e330307af51e9273e63c7193626ff47943b4ce8df62beb0a23cd5257b09ea3204e0c96

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
5fb1a42591dd9cc764f0c1b54db9d059

SHA1
00f8160e26ba3355b1ce87e608acaebfd87f38e7

SHA256
9824fe3831f727da04376b3647937ed3c9689a3e5948e8e6bae376a38d5366b9

SHA512
78511b2c41b9f7deba35640cdf3e80a3679b72b8d3ab1141a3b763dd37bf724d48e25ee780ea9a24274473127154170089ef0f5a069623e9038bf969f56491d2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f98bad471f6d149d64bf95a7eff55d17

SHA1
5d76c091beda9abe21bc1e1e58788f8dd7a7aa2d

SHA256
6d8ac80e2f2afda8dbb9d3b7cfdf4be98fb0e9d196c6a2f4743e2f53513f6e01

SHA512
80ea9d5b3dba26452bbed20ef428d387ead6ec3a9227364ffdb2169b027fb5cff2a168a69900fb53904c2ff8191c5e28a312cf157f981f4fa3709c0d06ea7f84

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
239bf0f49ede0d75ab3c63876d71d76b

SHA1
26f4eb7b7d54e0c1c17ab55b330e45af904ed83a

SHA256
907f753da093da1e87b92477633695a8ccf2ea627d1c238eae70032c9352ab06

SHA512
14b4191d463131ecfb76699b5ba52ad14d5e6758bf3175e35165b257802aeac3ea547c1321e14222aac91937e9b4d4bad0acec74024c41a5d2ea04c2192d28fd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
e3a5ce42af936b224fcf9b166546b144

SHA1
a61129a8079153af2e29b4f26eafa05dd03200ed

SHA256
0fd8d012795b1d1f26dcc2d342efd00158661c1452b3541b01dd006a15647040

SHA512
5bc2282d3120b34c517fec613ec48871a16b9a2d54f604f86506a6f4d11798b1e460030677ae60bfd09d7337692a438fe1aa91de2d9c8f02d98ada6d52b56246

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2991e1b3b0c4a95b33eb8456fb9c257c

SHA1
5bf31d03c2eca88331c35249231ecb64b83c3d10

SHA256
fc50245e99a8d764e211649f21bd23995d8852f26ef6676225496f417f9c8973

SHA512
4b36892284d3e472ff2eea3a5c9dc543f90bc4062e891e2df5d8daf0b28cc9101b56e523e4783c92d0fecce626dd682f425e9440bd42574f82520f0f4f6f1caf

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
e91c0b0287821c92a17e175f8ce983d5

SHA1
8ec5ffa0723de88ecabb5f01dbbd300c91d7c959

SHA256
c951834ca08f78dbff3f34947e8e89661beb6e987aafa1445640bcdd8701eae9

SHA512
ed3257ff606b27073f9ca2e4c1afcbf121fe77c674861de0a9bc51fedd56ddde27f7dde534de99b2ce834f1decfc34acdcf2fea277f06b1ba4da35f0d4b84733

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
2088e3d7ca89e3d57daa98e728ed13c7

SHA1
1239fe289e4017585b4783c0b702ee8ef84d6eaf

SHA256
e146634e9aea4cb172eaf2d98bdf03c85fd7d67c90296643eea22aeb341c21d0

SHA512
185ae2723db01ade8bbcb3a52a863d810f561246c927da442ab9613233bb475ef0bfbe218fd5baad39bcff00fdf6ef90dc7d4d2fab437051a16dac2802365c26

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
1c96542fbb75366fcb973d1cc95c0b42

SHA1
afe06da743e4e094c2dd09ff206c6f86662dda22

SHA256
ba15c497d8b1d875799327cd1cff91ab52b1f2c8fd965adc1748c0ccf17f8e3e

SHA512
b5d7122695ab8e6f762b92dd7ce8b2febcc0205799a788879f881eeeaca0a926d4dffa42b11db68ab000f6bd0777d9de3bedae2370834b930dd153cc1ba63e55

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
9772a0d316ba2abd038dbc6d47dcd1f0

SHA1
ab2c72c34600026ea879f655e3411490cbb3249f

SHA256
0e3234016001f916b1303da1dc27d901eb8d5ff4ea618a211f8f56e5fd3b8c47

SHA512
f72ca57f84a5a5509e2087203c933f2e9fcff5023c63b20aeeaeff071e27a986953e2390c1be30c413b9820a9287e778b9912a1fb52b7dc03e7bb7ae1bd27f44

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
b979ae6057bbf6f1946c0b013483cabf

SHA1
aacddc02ea781cc36525cbb572ee0bc5c4fa826d

SHA256
108785f15a254c665271eabef7251b60658623801bbb7952afb7f878dad46502

SHA512
9e207051a9962164dcdf2c5faa3af06572854fa099cab80bc25261825eb957b67cf08a95b96f48f5c61c7b154cb97518af979530858cddb9d07ba70715d17fe0

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
3cf735cd7dc2e126a5073af9a48234f2

SHA1
d64fba67600c03acf1a29355925bef75f08eadbd

SHA256
3886c5c33d75d6a5195b05a0d46b621125ae05de033bb17f586785b159559416

SHA512
9b56d3c852e3cd96f5bdf914ec9e2afaf86410f3fea345df944dd34997f86324e5e9ed4b4823778101f99380f33df7d7d8ba5c7201c3307c736b2e5286dc3028

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
01c23cf5c2617fdc9fb3f3d0ce77d648

SHA1
53ce90ad6796234a024c037f1bc919b49fcc36c6

SHA256
6ebd3785a8c0ca4e2dcd9cfff5fed938abf2d6f094e141138b8e70e113f58988

SHA512
e47cb41d9e92e6dac2e89129de705430159b1829b885a21835e5882808abe6fa8dedfe891b8dbef64c802e14a94a6183a143e8d60d408fa9f1327cf7de16499f

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
c7f25c669132b89c997540ce691680af

SHA1
683fab58630091fa04169f98654f906a6234ec19

SHA256
7749dacdca39aa148afc4cdb2784caf689e7e31b2999dff3e47fa85748c7995d

SHA512
f05c22f59c5da5a57ee5f5a768f7012cc586cdbc6fe20727ba31c8f7c35026394ba2847132aad3e4e611aa88f04c767f40671c9e3f80053371003e4347b66bea

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
7f226b7c62731280035348e171a231c1

SHA1
230c801f4d692d33302693564759a6430f9877b2

SHA256
114944b4339518059f010a55efcc782de679423d4878003c2bdcf49dc9473fa6

SHA512
57f595697e3acac8fdfdf08aa9a687979d7dcf759653d70193bf2288880f1c07572e9427cd4383fad0ff5ad2e3284c9b7f12c4e141994ebdb711f3e9325de9ee

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
a8ad392f34948f2372af54dbdc03656f

SHA1
812b44e0f256040260c08a029daef9252c9264b0

SHA256
3701837d5d53f681bd466e6e7721d569a1314e7b586bc18a336d50e8c7e628bb

SHA512
498b0d95b8b3a2f40b9d334d70514321fde75bb07131dd1d3a5a21ade4210659fd610aff7b8cf7bd266be7601e955d90411ec6f9994bb440d40f9adcd060249c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
acc3f86befcb606c2edbf334889f1b50

SHA1
fa787b1e55f306752cb4c7cdcb30f47108fec1ee

SHA256
c651325bb63f5f686d73e39885ea0b586b5fc470412204fe96f52c04251ca7da

SHA512
7f9e052fc43beebe02b40f2c7272df792f4987fcb9c7ccc5e8b0a6ee07d569b68650258353c0195e48537fc89954729d0fa85056d7f09ceb22827e8e9583ea4c

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3308f320c325b07d05d2faaf1d701edb

SHA1
7d4b7889194b2d153ee37c86106a426a2329df90

SHA256
349cc38fdf785ceaf04d1376fba7a42f672aa5d610ce4d252d0905e40dd74f89

SHA512
844d29c95e7311af0e09352ed8bfe3b917874fc0394b6bb5bf339412b107e7d08c32ed112b64c7b2a500a2dc7d31134879f77e7cc617407ff1c438b0d955739c

Download Submit
memory/280-316-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/280-105-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/280-129-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/452-188-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/452-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/452-194-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/452-271-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1264-323-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1264-330-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/1364-146-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1364-139-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1364-227-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1364-138-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1416-174-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1416-173-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1416-181-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1416-252-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1468-114-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1468-155-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1672-278-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1672-224-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1672-202-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1704-301-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1704-279-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1704-218-0x000007FEF4540000-0x000007FEF4EDD000-memory.dmp

Filesize
9.6MB

Download
memory/1704-204-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1704-214-0x000007FEF4540000-0x000007FEF4EDD000-memory.dmp

Filesize
9.6MB

Download
memory/1704-228-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1704-282-0x000007FEF4540000-0x000007FEF4EDD000-memory.dmp

Filesize
9.6MB

Download
memory/1704-341-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/2088-239-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2088-186-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2088-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2088-159-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2088-167-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2088-195-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2088-184-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2132-317-0x0000000073EF8000-0x0000000073F0D000-memory.dmp

Filesize
84KB

Download
memory/2132-312-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2132-308-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2132-302-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2320-337-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2320-344-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2356-222-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2356-225-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2356-289-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2364-122-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/2364-127-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/2364-121-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-205-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2456-335-0x0000000000580000-0x0000000000632000-memory.dmp

Filesize
712KB

Download
memory/2456-321-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2456-291-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2456-272-0x0000000000580000-0x0000000000632000-memory.dmp

Filesize
712KB

Download
memory/2456-267-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2464-65-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2464-94-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/2464-172-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2464-101-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/2464-100-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/2492-248-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2492-232-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2492-249-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/2492-240-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/2596-13-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2596-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2596-30-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2596-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2636-295-0x00000000002D0000-0x0000000000336000-memory.dmp

Filesize
408KB

Download
memory/2636-339-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2636-293-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2712-315-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2712-254-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2712-263-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2808-137-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2808-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2808-6-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/2808-1-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/3008-357-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download