2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314

Analysis

max time kernel
116s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
Size

1.8MB
MD5

12e36dae115bae1edf3ef802285dc12a
SHA1

a56d18565c7c77373d47a51b5eb3bbf80e090d4e
SHA256

2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314
SHA512

9fb8ea6317176c55f06fb40cb82f18d02d063e2c40cc26801f731d3e554bf86e36ab15e46d09a2447419c03823af77b823710a12d694032ee21bf4bd0a016ff5
SSDEEP

49152:Gx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+/snji6attJM:GvbjVkjjCAzJDEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 50 IoCs

pid	Process
480	Process not Found
1036	alg.exe
1592	aspnet_state.exe
472	mscorsvw.exe
984	mscorsvw.exe
2016	mscorsvw.exe
3048	mscorsvw.exe
1400	ehRecvr.exe
2988	ehsched.exe
1568	elevation_service.exe
2920	GROOVE.EXE
2384	maintenanceservice.exe
1312	OSE.EXE
2312	mscorsvw.exe
2112	OSPPSVC.EXE
1788	mscorsvw.exe
2164	mscorsvw.exe
3036	mscorsvw.exe
384	mscorsvw.exe
2012	mscorsvw.exe
888	mscorsvw.exe
1596	mscorsvw.exe
2312	mscorsvw.exe
1976	mscorsvw.exe
1788	mscorsvw.exe
2432	mscorsvw.exe
332	mscorsvw.exe
1996	mscorsvw.exe
1408	mscorsvw.exe
1472	mscorsvw.exe
2012	mscorsvw.exe
2196	mscorsvw.exe
1528	mscorsvw.exe
2136	mscorsvw.exe
1976	mscorsvw.exe
3024	mscorsvw.exe
2164	mscorsvw.exe
2212	mscorsvw.exe
1212	mscorsvw.exe
2884	dllhost.exe
2504	IEEtwCollector.exe
2836	msdtc.exe
2596	msiexec.exe
332	mscorsvw.exe
2228	mscorsvw.exe
1656	mscorsvw.exe
780	mscorsvw.exe
1964	perfhost.exe
448	locator.exe
1780	snmptrap.exe

Loads dropped DLL 11 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2596	msiexec.exe
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7cdf75642a37835d.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\System32\alg.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT2251.tmp	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_zh-TW.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_es.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_sw.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_uk.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_zh-CN.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_ar.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_bn.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0CE5CC7E-EAA3-4562-A781-DCB0067BB36A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\GoogleUpdateBroker.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_ro.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_ur.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_sr.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_th.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\goopdateres_fr.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\psuser_64.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\GoogleUpdateSetup.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2250.tmp\psmachine.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D33667F3-2C72-40AD-974D-D95B21BFE18F}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D33667F3-2C72-40AD-974D-D95B21BFE18F}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2592	ehRec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2924	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: 33	2184	EhTray.exe
Token: SeIncBasePriorityPrivilege	2184	EhTray.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeDebugPrivilege	2592	ehRec.exe
Token: 33	2184	EhTray.exe
Token: SeIncBasePriorityPrivilege	2184	EhTray.exe
Token: SeDebugPrivilege	1036	alg.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1592	aspnet_state.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2184	EhTray.exe
2184	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2184	EhTray.exe
2184	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2312	2016	mscorsvw.exe	51
PID 2016 wrote to memory of 2312	2016	mscorsvw.exe	51
PID 2016 wrote to memory of 2312	2016	mscorsvw.exe	51
PID 2016 wrote to memory of 2312	2016	mscorsvw.exe	51
PID 2016 wrote to memory of 1788	2016	mscorsvw.exe	53
PID 2016 wrote to memory of 1788	2016	mscorsvw.exe	53
PID 2016 wrote to memory of 1788	2016	mscorsvw.exe	53
PID 2016 wrote to memory of 1788	2016	mscorsvw.exe	53
PID 2016 wrote to memory of 2164	2016	mscorsvw.exe	65
PID 2016 wrote to memory of 2164	2016	mscorsvw.exe	65
PID 2016 wrote to memory of 2164	2016	mscorsvw.exe	65
PID 2016 wrote to memory of 2164	2016	mscorsvw.exe	65
PID 2016 wrote to memory of 3036	2016	mscorsvw.exe	46
PID 2016 wrote to memory of 3036	2016	mscorsvw.exe	46
PID 2016 wrote to memory of 3036	2016	mscorsvw.exe	46
PID 2016 wrote to memory of 3036	2016	mscorsvw.exe	46
PID 2016 wrote to memory of 384	2016	mscorsvw.exe	47
PID 2016 wrote to memory of 384	2016	mscorsvw.exe	47
PID 2016 wrote to memory of 384	2016	mscorsvw.exe	47
PID 2016 wrote to memory of 384	2016	mscorsvw.exe	47
PID 2016 wrote to memory of 2012	2016	mscorsvw.exe	59
PID 2016 wrote to memory of 2012	2016	mscorsvw.exe	59
PID 2016 wrote to memory of 2012	2016	mscorsvw.exe	59
PID 2016 wrote to memory of 2012	2016	mscorsvw.exe	59
PID 2016 wrote to memory of 888	2016	mscorsvw.exe	49
PID 2016 wrote to memory of 888	2016	mscorsvw.exe	49
PID 2016 wrote to memory of 888	2016	mscorsvw.exe	49
PID 2016 wrote to memory of 888	2016	mscorsvw.exe	49
PID 2016 wrote to memory of 1596	2016	mscorsvw.exe	50
PID 2016 wrote to memory of 1596	2016	mscorsvw.exe	50
PID 2016 wrote to memory of 1596	2016	mscorsvw.exe	50
PID 2016 wrote to memory of 1596	2016	mscorsvw.exe	50
PID 2016 wrote to memory of 2312	2016	mscorsvw.exe	51
PID 2016 wrote to memory of 2312	2016	mscorsvw.exe	51
PID 2016 wrote to memory of 2312	2016	mscorsvw.exe	51
PID 2016 wrote to memory of 2312	2016	mscorsvw.exe	51
PID 2016 wrote to memory of 1976	2016	mscorsvw.exe	63
PID 2016 wrote to memory of 1976	2016	mscorsvw.exe	63
PID 2016 wrote to memory of 1976	2016	mscorsvw.exe	63
PID 2016 wrote to memory of 1976	2016	mscorsvw.exe	63
PID 2016 wrote to memory of 1788	2016	mscorsvw.exe	53
PID 2016 wrote to memory of 1788	2016	mscorsvw.exe	53
PID 2016 wrote to memory of 1788	2016	mscorsvw.exe	53
PID 2016 wrote to memory of 1788	2016	mscorsvw.exe	53
PID 2016 wrote to memory of 2432	2016	mscorsvw.exe	54
PID 2016 wrote to memory of 2432	2016	mscorsvw.exe	54
PID 2016 wrote to memory of 2432	2016	mscorsvw.exe	54
PID 2016 wrote to memory of 2432	2016	mscorsvw.exe	54
PID 2016 wrote to memory of 332	2016	mscorsvw.exe	55
PID 2016 wrote to memory of 332	2016	mscorsvw.exe	55
PID 2016 wrote to memory of 332	2016	mscorsvw.exe	55
PID 2016 wrote to memory of 332	2016	mscorsvw.exe	55
PID 2016 wrote to memory of 1996	2016	mscorsvw.exe	56
PID 2016 wrote to memory of 1996	2016	mscorsvw.exe	56
PID 2016 wrote to memory of 1996	2016	mscorsvw.exe	56
PID 2016 wrote to memory of 1996	2016	mscorsvw.exe	56
PID 2016 wrote to memory of 1408	2016	mscorsvw.exe	57
PID 2016 wrote to memory of 1408	2016	mscorsvw.exe	57
PID 2016 wrote to memory of 1408	2016	mscorsvw.exe	57
PID 2016 wrote to memory of 1408	2016	mscorsvw.exe	57
PID 2016 wrote to memory of 1472	2016	mscorsvw.exe	58
PID 2016 wrote to memory of 1472	2016	mscorsvw.exe	58
PID 2016 wrote to memory of 1472	2016	mscorsvw.exe	58
PID 2016 wrote to memory of 1472	2016	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
"C:\Users\Admin\AppData\Local\Temp\2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:472

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 238 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 268 -NGENProcess 23c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 264 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 248 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 268 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 248 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 290 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 244 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 27c -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a0 -NGENProcess 25c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 244 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 284 -NGENProcess 25c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1fc -NGENProcess 298 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1d8 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 1fc -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 248 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1c8 -NGENProcess 264 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 124 -NGENProcess 128 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 228 -NGENProcess 230 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1400

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2384

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1312

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2112

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2884

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2356

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1360

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1408

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
55b0daeaa23fa633a667999992dc0e3c

SHA1
667badbce08fd381d499a513269822b8d50e5133

SHA256
196a11ec9ac1301d82ca75c97ae4875541ac392eb55da6a664be7905ea13357d

SHA512
3e42ac6ed8d7a0361adb3f0327468d2ed2005391f05c4a3077d2deebed3062f5db2e0bc2eb01bdfd90f9e87f5dfd10d31cdefbbba2f58bcb934d40c66466bdf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a7ebb96bff2aed9850f24d95a6f39bad

SHA1
3807895de5e71b674061adfabbe1c23a0982f55e

SHA256
42968efd2d1901565df37b17fd690ae32d2e24ec8ea04bb3b88082298cf00617

SHA512
19fe66277a8789d6523afd55a8d336538e1df1e687844becaaefc01c334c26bb1877956acbbec9f4a33c3d0fae1876c51aea683773ee750056c6460bb57443bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6dadd7b680e1ece606d369fe2478ee12

SHA1
5b7984fe73720f4b05f8af3865f8a97840df53f7

SHA256
3021d1b11c1313723bbfc04d8af70d880e457a47a5189e6f4288929c58e0cb62

SHA512
bbb334c7f5dbfe0af420ff76ec6645fddc68ec99a51aabd758009595c0510eba4a4f96ad6bb0b2cfa7629fb725a5479e1a1b700141e164885ef069263e47335c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
134b8469f0355b7e5832f6a9c2d10a69

SHA1
99f9f1c4073f15e73388ca50348d83303ed537f1

SHA256
59d6fc990a1e9b1a6afdcf5fbac24f53a1372fc7ef37b5f5f75f992c51e6bc7a

SHA512
be787aee453dc4ea6b41d3e2615db3953f6229e4369875bd14a9a0bf8ea267487bd60d738731120e8b9d8f89643bb4a4c8ef634da0782bd9d5833b703344455f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e4f2425a2997ca20888b5c0408ecb8c0

SHA1
792e0c8aa99bfa15b12b712c1d147ef26052b1cb

SHA256
6a6f24d1f226d3785b0fdddb2ce2ad20b5d9ef780e45f66875b98eaa12b680b8

SHA512
3ea42b9bbac2401052c1c6213c47536efe8085206c0d02aeae52d4ee047174943d3562c485b80e430d6e81d1bbc5c6dc44fcd4f4136b8060d00a8883864bba85

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6981ecfd697e640771247b6fccf8e87c

SHA1
a90c65819e4d380f04baff231754c906c5d72c1d

SHA256
1a98ae8e728e5be2c30b9ea3d90107360dee9a2f5b7f8f1d9b5dc402ca2b11ac

SHA512
e7e4360395fe59c52f35ab38cd775644eef37724a62dd4eb7088ade6037409b67f090f6f14046560c011d311597aa9aae226905b8b12337ed8bd7435a91dbfab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
68c1077294fe1cddf2ae17c3ba81c69b

SHA1
14c9d35164a2d904a46d46aebd5df7a0880de635

SHA256
98410de6b6ffcdbb2f765a59e3bb6e34b1134821e5bb84d6b92e5af0724b118d

SHA512
069d09b53f23f4f879e1d8bb72c057549b9db778f493b0fb1954be9d7cc0f4f94e7b7a890c73554f1e6ac9506f669310a1201326ecd3b46057c8bc04e2beddfe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6d06812f218008194cdc0052d69b70e1

SHA1
9395cadffb5588afe1cb43626243a0d8e9cf9004

SHA256
4b8a8bea0c41d14ec86f54a82f3218d35077419131c04d183256a5adbca20d05

SHA512
c16d22f433afe6f565803606b6abc6a58c1db7fa99907ccfe5d4cec4c2b6880d9a22472b6c32e3d50128cb563db999c4a98ecc8de6fb14381d445d9800f2602e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
577141e20932c8f6168f19f7008d2e12

SHA1
351b79e4ca0742095c42ec7dcc5ce322def0a21c

SHA256
2531b813a10714a3da18b0135eaa4c409ce64d5ae4ee49d73d0851da3fe25d29

SHA512
209005c03c08e6f6c1b9452562a43a53015ff6b68c5fef2c769efab57375bd7b931af174d77f3062312a459dfb0b48fb10d92fe26d2184b719f6e5d9405b3816

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
9751f42601e4c4faea697673301041f9

SHA1
f00b5e727fdc373e1171007d4a650ede7726bbf3

SHA256
a7aeb6b00299134c5e45bdf8014fe52275787763143f0a692459b3156bcb85bf

SHA512
e75f1f069577a89807f25df89d95d34f5dfaba4b5aa0a9c113c354314be7761e609c17bbd41f8e048c30124b1029c66c760403116bb9331500d01c0289826ccd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
59837979f6d10c52eea70aeec3bfa1f4

SHA1
e0f74ac635425fde8af29ec4896692c5229f2e2d

SHA256
79086deaf3311631ad47d70ea156563c84d0fca7e28445f52b0b686a20f249bc

SHA512
089834b145660caf1e36f9d9a17ca4350d496f5a90275d0fef2c885c4d795bf390ff97308055da29787de6ecaade6b553fdcbb184d029a134b596b5061fe3446

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
1375345a19d86409eb12342c9e4a7e94

SHA1
da051093e5984d8eeabe1c11f96e65c87486f5ac

SHA256
05f16bebe60d704c47aa844838f87b574a8173fd587c00966a2b09dfb7662bb2

SHA512
6061d978ee02947b90976e42e6e8c23f4b5d51df9c4416cd16a2fb50be63ec1039f53728dacae43dbaa15b29634a21ca6af2c04bfcff8d1c4224b0f7a003004a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
860c06b37b2a582d31fed0fefca3fe99

SHA1
1c374cfbb19024d396c25872bcfc81a7f4f9a19d

SHA256
a5c47e67e4f15c173d5bebbce3af9f8e250a79fe95d129a0a0c682c8ade3a0a8

SHA512
9a00f6764bd41b1d37de7f76fce606c34f091d2a2c33b7769e980337aafe73443c82f5952fec819b4205d6e11ad5779f481e6f7eba05019908f882a8be95aabe

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
d327960f90727e9eaf9177eeda18cd81

SHA1
1c3bfe91a1925bc66e3d737aea5b4d0618d9cddb

SHA256
96be4837addef62fd6df57e1ef25dad91cf5ed17defd498a3aef715b83a52847

SHA512
2637c64f3f6e209c9b693e593418ffa35e803393f2ccdf5b71187a5dd7d0de9a93e68a2bc27f96b7c2a17b4bd4297591019e4b5937128b830f4c7b0c99c711f5

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
3a10720314a7127dffc92b58dab00c97

SHA1
bd50661e2a0d2bbfbaab3c3889176608e64a774b

SHA256
2451aad50a1cb5361c9f1a5636d33cdc639b14ef8dbee7105d50f1bfbcedd53d

SHA512
96355667bc5d71469c22789e705237922289de9138fa5f948fc50d1ce2a6cf2d618b5ee86b1d225f113478e6446e83a49913e422eb7a75643923193ef83bf189

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a1003ae0b8b7cd8f4e8f5ca3de2dacec

SHA1
f09634618d5161fccf44e40ef5e73680d3c6860f

SHA256
6a7a18b149767d08e31f4eba2f354b70bf65b76501c45821086a42437d98df49

SHA512
6d9bba3df00630fb105c88f6e39fe58d93def1e9c80bf1b0b42d368100258c699ec07b9aad3558984e241da14a4165ed757b8d42b4e658fa065778dd20f33b83

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
918ae66ca57069f687570918a8a833d5

SHA1
440d26818b78707a3177b2e34c48c2d967b9d655

SHA256
61f6f8015106aa022efb676c99274c79e00112c3e6d230a6d9af9c1865c60389

SHA512
4b4b01a5edea149f7102be9eb4ad4653d81388aa9c8f8252d3b8d69ed1ca1d7c12095a5b5dfd05d1a9f3ff8572f4937a2d0366334595c6767ed994137d76625f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
1dbab59bb81d663c5f3e0082afc0a970

SHA1
85e1808661f66f3981cd241bd66713acb400407e

SHA256
753c6c8560a344401c71becde3fd67a4c3e20fe094b5614cf61a8b8b75f9e784

SHA512
a93b6cc236bf45702f36872923da85475423ddc2bcad62f2e82c2e3ea8ec37f2581c6bd73a084242fb3a91d3ee2f3ef618ce79e7b19dbd7fb51cd3feb151a56f

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
76a2aa3c5fbf02ae783591b79ebf64cf

SHA1
402cc43776728456fe1d318d30478f9f8500650f

SHA256
dbecb0f457d5fbad1574b2fd23cf0c1c0e96ebab2021651162c0e408cd5c25ae

SHA512
440efe519ba0331c2c889fee21f50bd47c2e4770d520749f3cdb479fa03dbb218fb72bfaaf6f8e56b9e4b2d18d58a359ffbab3fcdb795abc00b29b07f6dcb825

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
42ea7e605d4826ac9683c5fd84bbbc12

SHA1
cb4983802719421ebc2dc5161f620f45a4385954

SHA256
40009588b95643cdc318445adb3cc38d5059f7fd97da27dc967924b3fdad8e5e

SHA512
d60b28ebf1a114d1b8fa03086dac4cef7964b64821e4f3dc7831dce67e7c684690fbab42d0235e0e7c06cd2808cf4f2d54a832b49022d5e0563c9e205114a69e

Download Submit
memory/472-142-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/472-112-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/472-106-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/472-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/984-130-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/984-129-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/984-123-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/984-122-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/984-159-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1036-17-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1036-13-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1036-161-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1036-45-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1312-482-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1312-332-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1312-338-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1400-183-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-188-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1400-311-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-279-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1568-283-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1568-355-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1568-291-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/1592-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1592-180-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1592-102-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1592-95-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1788-516-0x00000000724A0000-0x0000000072B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1788-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1788-489-0x00000000724A0000-0x0000000072B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1788-469-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2016-282-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2016-146-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2016-145-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2016-151-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2112-378-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2112-397-0x0000000073A48000-0x0000000073A5D000-memory.dmp

Filesize
84KB

Download
memory/2112-364-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2112-357-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2112-537-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2164-552-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2164-509-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2164-513-0x00000000724A0000-0x0000000072B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-555-0x00000000724A0000-0x0000000072B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-465-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2312-343-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2312-350-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2312-388-0x00000000724A0000-0x0000000072B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2384-326-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2384-313-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2384-327-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2384-320-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2592-301-0x000007FEF40A0000-0x000007FEF4A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-304-0x000007FEF40A0000-0x000007FEF4A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-375-0x000007FEF40A0000-0x000007FEF4A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-374-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2592-362-0x000007FEF40A0000-0x000007FEF4A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-345-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2592-302-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2592-506-0x0000000000D60000-0x0000000000DE0000-memory.dmp

Filesize
512KB

Download
memory/2920-305-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/2920-309-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2920-373-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2924-7-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2924-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2924-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2924-277-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2924-1-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2924-6-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2988-329-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2988-193-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2988-275-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/3036-556-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/3048-292-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3048-162-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/3048-163-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3048-170-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/3048-169-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download