b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 06:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
Size

1.8MB
MD5

5c251d0b227238a1dec67505a99d33b7
SHA1

5cf2fd8b4078b9be2539e2fc9f4135651a97d2b7
SHA256

b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f
SHA512

d7a4fbcfd94afddf23d73a8cc26c7955aa60cc89296f50a4119c0d8f1c96e880d29c549c92171f965c3c1ef021f90285cb16a1fbb0ac7f24aa1b8683f79c84c9
SSDEEP

49152:+M9QPdxwfE7WlFwKAfzuTiDFUFkXKPZdD4s9sUUS:+1PdVQFwKZCFgY4t4sWvS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 56 IoCs

pid	Process
480	Process not Found
2988	alg.exe
3016	aspnet_state.exe
1904	mscorsvw.exe
1480	mscorsvw.exe
2796	mscorsvw.exe
2256	mscorsvw.exe
324	ehRecvr.exe
1172	ehsched.exe
2200	dllhost.exe
2576	elevation_service.exe
3020	GROOVE.EXE
3068	maintenanceservice.exe
1272	mscorsvw.exe
2508	OSE.EXE
1872	OSPPSVC.EXE
1888	mscorsvw.exe
1596	mscorsvw.exe
656	mscorsvw.exe
1520	mscorsvw.exe
1556	mscorsvw.exe
1300	mscorsvw.exe
2552	mscorsvw.exe
2896	mscorsvw.exe
2724	mscorsvw.exe
2348	mscorsvw.exe
1108	mscorsvw.exe
1828	mscorsvw.exe
884	mscorsvw.exe
1520	mscorsvw.exe
1736	mscorsvw.exe
1724	mscorsvw.exe
2672	mscorsvw.exe
1932	mscorsvw.exe
2768	mscorsvw.exe
2032	mscorsvw.exe
3004	mscorsvw.exe
2964	mscorsvw.exe
2992	mscorsvw.exe
1956	mscorsvw.exe
1392	IEEtwCollector.exe
2332	msdtc.exe
1228	msiexec.exe
2000	perfhost.exe
1020	locator.exe
2992	snmptrap.exe
1600	vds.exe
1756	vssvc.exe
2560	wbengine.exe
288	mscorsvw.exe
1564	mscorsvw.exe
896	mscorsvw.exe
1444	mscorsvw.exe
2632	WmiApSrv.exe
2364	wmpnetwk.exe
1036	SearchIndexer.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1228	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5d75389756fe8faa.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_is.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\psuser.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_sl.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_zh-TW.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_bn.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_da.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_nl.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\GoogleUpdateSetup.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_en-GB.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_fi.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_pl.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\GoogleUpdateComRegisterShell64.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_sw.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\GoogleUpdateCore.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCC.tmp\goopdateres_lt.dll	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DCF4D8EC-90B3-4DB7-9D65-3D9B4091BDB3}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DCF4D8EC-90B3-4DB7-9D65-3D9B4091BDB3}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{B32E8ADB-C0BD-4B54-BB55-829135EBCBCE}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{B32E8ADB-C0BD-4B54-BB55-829135EBCBCE}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2632	ehRec.exe
3016	aspnet_state.exe
3016	aspnet_state.exe
3016	aspnet_state.exe
3016	aspnet_state.exe
3016	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2352	b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: 33	1692	EhTray.exe
Token: SeIncBasePriorityPrivilege	1692	EhTray.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeDebugPrivilege	2632	ehRec.exe
Token: 33	1692	EhTray.exe
Token: SeIncBasePriorityPrivilege	1692	EhTray.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeDebugPrivilege	2988	alg.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	3016	aspnet_state.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeRestorePrivilege	1228	msiexec.exe
Token: SeTakeOwnershipPrivilege	1228	msiexec.exe
Token: SeSecurityPrivilege	1228	msiexec.exe
Token: SeBackupPrivilege	1756	vssvc.exe
Token: SeRestorePrivilege	1756	vssvc.exe
Token: SeAuditPrivilege	1756	vssvc.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe
Token: SeShutdownPrivilege	2796	mscorsvw.exe
Token: SeShutdownPrivilege	2256	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1692	EhTray.exe
1692	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1692	EhTray.exe
1692	EhTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1344	SearchProtocolHost.exe
1344	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1272	2256	mscorsvw.exe	42
PID 2256 wrote to memory of 1272	2256	mscorsvw.exe	42
PID 2256 wrote to memory of 1272	2256	mscorsvw.exe	42
PID 2256 wrote to memory of 1888	2256	mscorsvw.exe	45
PID 2256 wrote to memory of 1888	2256	mscorsvw.exe	45
PID 2256 wrote to memory of 1888	2256	mscorsvw.exe	45
PID 2796 wrote to memory of 1596	2796	mscorsvw.exe	46
PID 2796 wrote to memory of 1596	2796	mscorsvw.exe	46
PID 2796 wrote to memory of 1596	2796	mscorsvw.exe	46
PID 2796 wrote to memory of 1596	2796	mscorsvw.exe	46
PID 2796 wrote to memory of 656	2796	mscorsvw.exe	47
PID 2796 wrote to memory of 656	2796	mscorsvw.exe	47
PID 2796 wrote to memory of 656	2796	mscorsvw.exe	47
PID 2796 wrote to memory of 656	2796	mscorsvw.exe	47
PID 2796 wrote to memory of 1520	2796	mscorsvw.exe	48
PID 2796 wrote to memory of 1520	2796	mscorsvw.exe	48
PID 2796 wrote to memory of 1520	2796	mscorsvw.exe	48
PID 2796 wrote to memory of 1520	2796	mscorsvw.exe	48
PID 2796 wrote to memory of 1556	2796	mscorsvw.exe	49
PID 2796 wrote to memory of 1556	2796	mscorsvw.exe	49
PID 2796 wrote to memory of 1556	2796	mscorsvw.exe	49
PID 2796 wrote to memory of 1556	2796	mscorsvw.exe	49
PID 2796 wrote to memory of 1300	2796	mscorsvw.exe	50
PID 2796 wrote to memory of 1300	2796	mscorsvw.exe	50
PID 2796 wrote to memory of 1300	2796	mscorsvw.exe	50
PID 2796 wrote to memory of 1300	2796	mscorsvw.exe	50
PID 2796 wrote to memory of 2552	2796	mscorsvw.exe	51
PID 2796 wrote to memory of 2552	2796	mscorsvw.exe	51
PID 2796 wrote to memory of 2552	2796	mscorsvw.exe	51
PID 2796 wrote to memory of 2552	2796	mscorsvw.exe	51
PID 2796 wrote to memory of 2896	2796	mscorsvw.exe	52
PID 2796 wrote to memory of 2896	2796	mscorsvw.exe	52
PID 2796 wrote to memory of 2896	2796	mscorsvw.exe	52
PID 2796 wrote to memory of 2896	2796	mscorsvw.exe	52
PID 2796 wrote to memory of 2724	2796	mscorsvw.exe	53
PID 2796 wrote to memory of 2724	2796	mscorsvw.exe	53
PID 2796 wrote to memory of 2724	2796	mscorsvw.exe	53
PID 2796 wrote to memory of 2724	2796	mscorsvw.exe	53
PID 2796 wrote to memory of 2348	2796	mscorsvw.exe	54
PID 2796 wrote to memory of 2348	2796	mscorsvw.exe	54
PID 2796 wrote to memory of 2348	2796	mscorsvw.exe	54
PID 2796 wrote to memory of 2348	2796	mscorsvw.exe	54
PID 2796 wrote to memory of 1108	2796	mscorsvw.exe	55
PID 2796 wrote to memory of 1108	2796	mscorsvw.exe	55
PID 2796 wrote to memory of 1108	2796	mscorsvw.exe	55
PID 2796 wrote to memory of 1108	2796	mscorsvw.exe	55
PID 2796 wrote to memory of 1828	2796	mscorsvw.exe	56
PID 2796 wrote to memory of 1828	2796	mscorsvw.exe	56
PID 2796 wrote to memory of 1828	2796	mscorsvw.exe	56
PID 2796 wrote to memory of 1828	2796	mscorsvw.exe	56
PID 2796 wrote to memory of 884	2796	mscorsvw.exe	57
PID 2796 wrote to memory of 884	2796	mscorsvw.exe	57
PID 2796 wrote to memory of 884	2796	mscorsvw.exe	57
PID 2796 wrote to memory of 884	2796	mscorsvw.exe	57
PID 2796 wrote to memory of 1520	2796	mscorsvw.exe	58
PID 2796 wrote to memory of 1520	2796	mscorsvw.exe	58
PID 2796 wrote to memory of 1520	2796	mscorsvw.exe	58
PID 2796 wrote to memory of 1520	2796	mscorsvw.exe	58
PID 2796 wrote to memory of 1736	2796	mscorsvw.exe	59
PID 2796 wrote to memory of 1736	2796	mscorsvw.exe	59
PID 2796 wrote to memory of 1736	2796	mscorsvw.exe	59
PID 2796 wrote to memory of 1736	2796	mscorsvw.exe	59
PID 2796 wrote to memory of 1724	2796	mscorsvw.exe	60
PID 2796 wrote to memory of 1724	2796	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe
"C:\Users\Admin\AppData\Local\Temp\b03dcc2b3d2fabdeca173f7401195bdd41a3a2c2f1484058b62d7c99e672b93f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1904

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 1e4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1e4 -NGENProcess 1dc -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d4 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 264 -NGENProcess 240 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e4 -NGENProcess 26c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1dc -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 274 -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ec -NGENProcess 264 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 27c -NGENProcess 258 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 1ec -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 26c -NGENProcess 27c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 1ec -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 264 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 2a0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1dc -NGENProcess 200 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 254 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 200 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:324

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2200

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3068

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2508

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1872

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2364

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1344
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
b87e945e42b139e0e22d1836a84e1642

SHA1
80b0dfece8d21c37525a9325980dbe991f772e06

SHA256
ca87ae72c50d1c7e03b187a668225a1b8bcf13cd7427306939df91facfc2a817

SHA512
607399bd1f4ae7bb38360280a1e9de72e1e67b88ae572ee439977e6ff0dd7ad2e902168ade65c13f3be5a7c959d067ad2d948e3ed23bf7f963880ca7d2a8ff08

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
2fcbe24a0364d26c91ae481f950372bb

SHA1
24209ee97152d5d4e675b15db0684a5f5d1ac9a1

SHA256
38ea27605526880d894fdd859fddccc9fd2481759cc4a7fb543c9f18861df6be

SHA512
c05588df758664e06620c76e0d46911ee574eaacd0a12f43404983d7264f397c4ef27e8a5977984fbe6b1d63d0b1e0ffe165709124aed7d0f858f469e787d515

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
ddf3e8ca360f4895069b29c4a0260b4d

SHA1
bdc1d7b4fb68c4b85eaba88f9716042c891fcab8

SHA256
cf91b8f9053e9dfd41c541e39bd2c1e90b197febe53b59501fec6d728b2a02ce

SHA512
6d58879decd9298532e26131c23aa6d109a50edbe73895e5e04867428288528f1667cc7b7adff8c8ec0d50feebb4f605834579a23f62ddc4d68e44cf1d52a942

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9e9251c64e845b8310b77062b55caadb

SHA1
bb2b4e54c5e5ba0cafad36c25aecd11a8cac340e

SHA256
32518b9ab5ab38e2dae8d8473e84b8f58bc5ffcc1f1d766ee9aa4dd80d8977a9

SHA512
d0ddd11891279c5e8aae8f6d1b9818b44b0c8b012ed5271d7438bb2b4837e1f58925c34212d3df4c84a123e56719cce99dc3d2638795e82c3fd328fc3367d1c5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1418c52aa9b0fd53a016d55b41499079

SHA1
094a7600e96033d36aaecb535679cc09fcb4831d

SHA256
0b9851c29600b92929f280c49bb904a22d306442c18f8da1f768b85f5752d053

SHA512
7b1afe75188d8420a271ec34f4f317d916ea53ff69aab5cc616e3d9962399d4ba0c20923165f169d6d499a040f58208fccf429982c8791d4c67e7e0c93b5de39

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
797286f6bd275073e20ba1d6dfc4ff1d

SHA1
1f889d4ed1188976f33ea15dd44f652dfe1225c0

SHA256
b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459

SHA512
6dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
2aeb649f13b5a1c0000b84f46591977d

SHA1
2f0b52ec1585af542a7bece1aff25b3abeaf3f88

SHA256
8ddf6cbae74c3e86a3f383d7011cf98fe88d830a392dac712ea94c78f8189ac7

SHA512
2234a5e9bc5c8a39b627633e900a3abb9eb9260b26146cf70dba24039c87729374976fa2a6e6869f9b759d4c0cb0a6a59ee1ebae341e4d8b7b230a898ba50b1d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
5bcc7489dc29a72d216852555744f364

SHA1
ea18171df2787a7a0655c4ad34db2968319d8030

SHA256
2ab8ff05526f8f9d0c65a596fa4e08bc48c44aeb0e384ae73ff14eeb9e5b3775

SHA512
98045c3493f952c852a4507f335aeb206bf3452b2781c54b91581948623c5a38a32f633238ee6e7e0ae33f6a3c94f37f0a912bdda18bb1e820a5807c318e0878

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
a8f22d0fc24cc7805b2f44e44160ded1

SHA1
8b3ed88a2116894e0a55b7184a9229843eb2691b

SHA256
587d05722a2846558e9e1e81e5e38a908afc93cd152ae78e41c648c936a1b7f5

SHA512
cf7aed8daeb65b522a5a31bcfc0137a63035a4232aca1b62573a3e77575eeb2b3418c115e68a84aa178c4296b92e69bfc06f40431b6da2fe0a38740f52210a32

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
2889520b50d6d48d5aed197a67d9c492

SHA1
6018d4c0018fff55a9787cdebae40fcc93f8b726

SHA256
8ba65c95c6cfd606bf77860e728756ff4cc864666e6cc1a4dd77109b312bb49f

SHA512
07563c6d7a174d7ffc7136d77b475f5c350481838e224ed4edf244a222d94b4d9fc0e1b1518371b045dbfb421c483c7fba8525a92de4a1c08fe1d7b51d5e4ac8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
40c7030f4c618d74dabf0e632fa7cc49

SHA1
bf79f27a0cc20de92d0a5f34fc5820c2115d1978

SHA256
b315c79ba5122dbc63526defb389e8890e0803ec3cde965075db4f739fda89f6

SHA512
85d81d747e7a041e8f91878aa896dbeb7eb287863ae4d1ddc9b01cd9659c02b49f4dd947c3738f717d132a82dfc86e7252c927d8378c70f500f8912aae01357a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
156491f8d7395710e236df5e1da301c8

SHA1
4c52af87943bb94722b71b356e25adf7ce792507

SHA256
72113afdcbe6f9d60a59c64af53846f32eb32e9862eaca85b43bb815c45a1295

SHA512
497e0f854114b5cbf8144465083054325886b536b9af01febb0817e1c69dcf7132f04fe959f35d9c2da24fec241cc152d4c3a6a73cd365892be91f683b469e97

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
075431483259d52327196485017a9352

SHA1
1bb885196aafdeab924436e6ad2729db4ef2f220

SHA256
ce94dee2599536fa55db1e0b91d2f2e8d8599b9aa76da53ea7e3874ca353d880

SHA512
1a6a95c7e44f776e0da8227d9ab18abe9569c483b335db374bcf5adea3c5c0ee2462e67541fca0511d14c84801abd3b79e617165f488973e7d117d2267e873a2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
0e0481dce885253d5c9c499ace244fd5

SHA1
b41abb63593d97fe244dd7d37dab4b8d8dd6b1d3

SHA256
a13fe2eee20bdb6b36cf8d89be9622636c9bd533372e8c69d7f099a6fe8bdd41

SHA512
85919ec74ee6a5c40cd0e711d207890f366b48d72705ccf52adf11fefb9c3bc0748c63ff0943e3def4218eb896097d9529ad5a29e6cac0b06a75debecddfa791

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
097e57b9e6613e83bff80e4d051be526

SHA1
7721b0a5c4eb3678c62db75041d1228f41b8a33c

SHA256
2743875641d74199a2e6a850b8a9401fffbbc6ff3b0ee120d58cf60a60a361b8

SHA512
43a2e7291a2ff34b291c342b1be82089bfc38a996143cbc57cbcae062ed72faf662b82634436cee229cff238ecba7164c2beca0ba33e09422324538af75bdf17

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
fe55361409247de324c5dc41693dc669

SHA1
f37c1bf98c8eefe946de21fcd0b8d96e80cd7215

SHA256
fadf664db20711db68789d55d76105b75011ec06a37f98d2494ad6366de2e4c1

SHA512
22da0fadf470c52d8ecf8c476d28a2457966cac65af1ef63e8c84cfcd749389d1619282671c725874f08d8269d9b18113e8817e93d2dd314ba94f8eda570e581

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
c13595e662139bf159d7843704a43301

SHA1
f5d4b52857a6aec5238faf26ea46ebefa52233a1

SHA256
93d2eb6f32e3890c58028313b8f0e61c2cd73023b8a93e79ae5477774102d8b2

SHA512
6c614b81332a660dd0ac25a276fc2e59878bf9155136b86dd63b5d91f0feca725789f5a24bcca385fb8d5d74a09696bc228af5365b05d16dbc2234560bd78dfd

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
328331d8bc2104a2f459b7a6487a2f23

SHA1
00332e477a638aa2ac67277f18b9569d56c0b005

SHA256
fe5bd68adf51d7cd9b4602c2aaa84361f81cc642f9c65e347f0616d96b89b5ab

SHA512
29f982061bc130d04c1194e370a9ec8fe531455eefbf199d706291c1664156b38b3391e865e065e7dc5a3205491de6d9eb51fbc8f2fcc4e7ccd459033b810542

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
77e23d242697eaec6cc4faa60ea25ce6

SHA1
aea46e15dff3a94a9108730cfeed338d5e81961f

SHA256
6cd0e207255213c4947b82e713ad019fda76448c187aea34a6a9a3825da16c1f

SHA512
7a7bec0febce765757a64f7db9108cdda46be474cd1c5794fb2dda1fb0685cc203d5b4016c6e7a942d8bbce1a332be2d62b5225173be5034024b406d36afda08

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
96b445af95ae7fc1d3214cae5b45f983

SHA1
59a393f4bfac211583de28c9218f312bbdebb0a8

SHA256
2a654b1b793f22a806e773ad7e30044d24c1a52603a0dddef4008906a13f7d43

SHA512
a063e975c3e3375efe6255e690566d5941014cf4c67972f25ba49136f80e2fa786112cd415a19917110da55db156bc720f968d540d4d12b9439ab48fc0f66670

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
6a0d086710f77a2438630fbc43090a6d

SHA1
f1827cc032d37cfcc9c7c86b697146574f6fcc97

SHA256
a17d878f30f530a6204027ca063ad967091b28553fa0dcc308a32aed01263818

SHA512
82a3f5a9350bb6f185417d54ff3bf2bd3b269e93980c941944e8309b88fecd6dd02e14dd46c996843fc1d79fe98e303088a1e55feeda4043d4ba8db41ee6ac02

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
423149d38a66b18f7772a12d96d2de7f

SHA1
e7e224ccd36845de21f21b0e796759bd323f2206

SHA256
fe959a62171afb09d381c519743669b8c7d72f968d5f9776d963ea2b97811d39

SHA512
77dc503cf907aa4634ba9b206d8e4273946ed8b500f18eac2ab296231edb95931e922c3092b54d5151a58f99d018af072b00c6f2c1e21d53d8647bcce0dff142

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
3e83d8013b1d861880e234da6dee5f0b

SHA1
22f68cfac5413c113cbb733c4caaa1e29816717c

SHA256
39d27a36ee615ee145710c0dfc4ac38f6dcdf1cef4fea1be78c85c6a55cc5cae

SHA512
f3edccaba35d519b5020c131f6aa42ea7f08ebb80e577ba1cb085b321d3d19b52ea82164a5824f81d38be14fd6ec97b128c13eca01ee34a80d0527ae874b89ea

Download Submit
memory/324-176-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/324-184-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/324-178-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/324-323-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/324-353-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/324-273-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1172-193-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1172-279-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1172-341-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1272-475-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1272-476-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1272-429-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/1272-479-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/1272-358-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1480-190-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1480-127-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1480-120-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1480-119-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1596-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1596-569-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/1872-446-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1872-434-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1872-502-0x00000000747C8000-0x00000000747DD000-memory.dmp

Filesize
84KB

Download
memory/1888-452-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1888-520-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/1888-447-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1888-478-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/1888-521-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1888-522-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1904-111-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1904-106-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1904-172-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1904-105-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2200-292-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2200-282-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2200-364-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2256-303-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2256-155-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2256-156-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2256-162-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2352-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2352-1-0x0000000000720000-0x0000000000786000-memory.dmp

Filesize
408KB

Download
memory/2352-6-0x0000000000720000-0x0000000000786000-memory.dmp

Filesize
408KB

Download
memory/2352-272-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2352-136-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2508-344-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2508-356-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2576-296-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2576-305-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2576-477-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2632-313-0x0000000000E80000-0x0000000000F00000-memory.dmp

Filesize
512KB

Download
memory/2632-320-0x000007FEF4970000-0x000007FEF530D000-memory.dmp

Filesize
9.6MB

Download
memory/2632-461-0x0000000000E80000-0x0000000000F00000-memory.dmp

Filesize
512KB

Download
memory/2632-567-0x000007FEF4970000-0x000007FEF530D000-memory.dmp

Filesize
9.6MB

Download
memory/2632-326-0x000007FEF4970000-0x000007FEF530D000-memory.dmp

Filesize
9.6MB

Download
memory/2632-550-0x0000000000E80000-0x0000000000F00000-memory.dmp

Filesize
512KB

Download
memory/2632-500-0x000007FEF4970000-0x000007FEF530D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-137-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2796-144-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2796-289-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-154-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2988-44-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2988-55-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2988-12-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2988-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3016-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3016-175-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3016-101-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/3016-95-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/3020-328-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/3020-311-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3020-487-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3068-321-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3068-331-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/3068-363-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/3068-362-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download