647b396fe931c059aa6c4d170e1d3aca915327662a93962e5665a5bc217fe3cf

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21d51819cefab4b4d0ff4ba18e105480N.exe
Size

1.3MB
MD5

21d51819cefab4b4d0ff4ba18e105480
SHA1

83bd019fca7972dfa4377d086d6744900bebc991
SHA256

647b396fe931c059aa6c4d170e1d3aca915327662a93962e5665a5bc217fe3cf
SHA512

0eaea8ce9790bd818f15afeb10d8c86bcaff6ed7fce4b390eb4cef65fd4b6b60bcf0db39c22a695357393b9a109e8e5df94ca1c8d66ac33b158860580929e74c
SSDEEP

24576:tvIBwtW/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:tvILLNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 57 IoCs

pid	Process
460	Process not Found
2972	alg.exe
2744	aspnet_state.exe
2568	mscorsvw.exe
2528	mscorsvw.exe
2516	mscorsvw.exe
2416	mscorsvw.exe
1096	ehRecvr.exe
1464	ehsched.exe
2124	elevation_service.exe
2772	IEEtwCollector.exe
2444	GROOVE.EXE
2504	maintenanceservice.exe
1764	msdtc.exe
2896	msiexec.exe
1716	OSE.EXE
2840	perfhost.exe
2688	mscorsvw.exe
2088	locator.exe
2232	snmptrap.exe
2472	vds.exe
2860	mscorsvw.exe
768	mscorsvw.exe
1600	vssvc.exe
236	wbengine.exe
868	WmiApSrv.exe
696	wmpnetwk.exe
2480	mscorsvw.exe
2796	mscorsvw.exe
1188	SearchIndexer.exe
2552	mscorsvw.exe
1588	mscorsvw.exe
1972	mscorsvw.exe
2224	mscorsvw.exe
2488	mscorsvw.exe
1584	mscorsvw.exe
2716	mscorsvw.exe
2852	mscorsvw.exe
2376	mscorsvw.exe
1644	mscorsvw.exe
2060	mscorsvw.exe
2004	mscorsvw.exe
1972	mscorsvw.exe
2376	mscorsvw.exe
1520	mscorsvw.exe
2016	mscorsvw.exe
2152	mscorsvw.exe
2692	mscorsvw.exe
2508	mscorsvw.exe
2860	mscorsvw.exe
3040	mscorsvw.exe
2996	mscorsvw.exe
2188	mscorsvw.exe
2700	mscorsvw.exe
2152	mscorsvw.exe
1352	mscorsvw.exe
668	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2896	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
744	Process not Found
2152	mscorsvw.exe
2152	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3ee83435d264f17b.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\System32\vds.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	21d51819cefab4b4d0ff4ba18e105480N.exe

Drops file in Windows directory 41 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEC90.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	21d51819cefab4b4d0ff4ba18e105480N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21d51819cefab4b4d0ff4ba18e105480N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1352	ehRec.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
2744	aspnet_state.exe
2744	aspnet_state.exe
2744	aspnet_state.exe
2744	aspnet_state.exe
2744	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	760	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: 33	2076	EhTray.exe
Token: SeIncBasePriorityPrivilege	2076	EhTray.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeDebugPrivilege	1352	ehRec.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeRestorePrivilege	2896	msiexec.exe
Token: SeTakeOwnershipPrivilege	2896	msiexec.exe
Token: SeSecurityPrivilege	2896	msiexec.exe
Token: 33	2076	EhTray.exe
Token: SeIncBasePriorityPrivilege	2076	EhTray.exe
Token: SeBackupPrivilege	1600	vssvc.exe
Token: SeRestorePrivilege	1600	vssvc.exe
Token: SeAuditPrivilege	1600	vssvc.exe
Token: SeBackupPrivilege	236	wbengine.exe
Token: SeRestorePrivilege	236	wbengine.exe
Token: SeSecurityPrivilege	236	wbengine.exe
Token: SeManageVolumePrivilege	1188	SearchIndexer.exe
Token: 33	1188	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1188	SearchIndexer.exe
Token: 33	696	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	696	wmpnetwk.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeDebugPrivilege	760	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	760	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	760	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	760	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeDebugPrivilege	760	21d51819cefab4b4d0ff4ba18e105480N.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeDebugPrivilege	2744	aspnet_state.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2076	EhTray.exe
2076	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2076	EhTray.exe
2076	EhTray.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
760	21d51819cefab4b4d0ff4ba18e105480N.exe
760	21d51819cefab4b4d0ff4ba18e105480N.exe
2596	SearchProtocolHost.exe
2596	SearchProtocolHost.exe
2596	SearchProtocolHost.exe
2596	SearchProtocolHost.exe
2596	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2752	SearchProtocolHost.exe
2596	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2688	2516	mscorsvw.exe	46
PID 2516 wrote to memory of 2688	2516	mscorsvw.exe	46
PID 2516 wrote to memory of 2688	2516	mscorsvw.exe	46
PID 2516 wrote to memory of 2688	2516	mscorsvw.exe	46
PID 2516 wrote to memory of 2860	2516	mscorsvw.exe	82
PID 2516 wrote to memory of 2860	2516	mscorsvw.exe	82
PID 2516 wrote to memory of 2860	2516	mscorsvw.exe	82
PID 2516 wrote to memory of 2860	2516	mscorsvw.exe	82
PID 2516 wrote to memory of 768	2516	mscorsvw.exe	52
PID 2516 wrote to memory of 768	2516	mscorsvw.exe	52
PID 2516 wrote to memory of 768	2516	mscorsvw.exe	52
PID 2516 wrote to memory of 768	2516	mscorsvw.exe	52
PID 2516 wrote to memory of 2480	2516	mscorsvw.exe	57
PID 2516 wrote to memory of 2480	2516	mscorsvw.exe	57
PID 2516 wrote to memory of 2480	2516	mscorsvw.exe	57
PID 2516 wrote to memory of 2480	2516	mscorsvw.exe	57
PID 2516 wrote to memory of 2796	2516	mscorsvw.exe	58
PID 2516 wrote to memory of 2796	2516	mscorsvw.exe	58
PID 2516 wrote to memory of 2796	2516	mscorsvw.exe	58
PID 2516 wrote to memory of 2796	2516	mscorsvw.exe	58
PID 2516 wrote to memory of 2552	2516	mscorsvw.exe	60
PID 2516 wrote to memory of 2552	2516	mscorsvw.exe	60
PID 2516 wrote to memory of 2552	2516	mscorsvw.exe	60
PID 2516 wrote to memory of 2552	2516	mscorsvw.exe	60
PID 1188 wrote to memory of 2596	1188	SearchIndexer.exe	61
PID 1188 wrote to memory of 2596	1188	SearchIndexer.exe	61
PID 1188 wrote to memory of 2596	1188	SearchIndexer.exe	61
PID 1188 wrote to memory of 2644	1188	SearchIndexer.exe	62
PID 1188 wrote to memory of 2644	1188	SearchIndexer.exe	62
PID 1188 wrote to memory of 2644	1188	SearchIndexer.exe	62
PID 2516 wrote to memory of 1588	2516	mscorsvw.exe	63
PID 2516 wrote to memory of 1588	2516	mscorsvw.exe	63
PID 2516 wrote to memory of 1588	2516	mscorsvw.exe	63
PID 2516 wrote to memory of 1588	2516	mscorsvw.exe	63
PID 2516 wrote to memory of 1972	2516	mscorsvw.exe	75
PID 2516 wrote to memory of 1972	2516	mscorsvw.exe	75
PID 2516 wrote to memory of 1972	2516	mscorsvw.exe	75
PID 2516 wrote to memory of 1972	2516	mscorsvw.exe	75
PID 2516 wrote to memory of 2224	2516	mscorsvw.exe	65
PID 2516 wrote to memory of 2224	2516	mscorsvw.exe	65
PID 2516 wrote to memory of 2224	2516	mscorsvw.exe	65
PID 2516 wrote to memory of 2224	2516	mscorsvw.exe	65
PID 2516 wrote to memory of 2488	2516	mscorsvw.exe	66
PID 2516 wrote to memory of 2488	2516	mscorsvw.exe	66
PID 2516 wrote to memory of 2488	2516	mscorsvw.exe	66
PID 2516 wrote to memory of 2488	2516	mscorsvw.exe	66
PID 2516 wrote to memory of 1584	2516	mscorsvw.exe	67
PID 2516 wrote to memory of 1584	2516	mscorsvw.exe	67
PID 2516 wrote to memory of 1584	2516	mscorsvw.exe	67
PID 2516 wrote to memory of 1584	2516	mscorsvw.exe	67
PID 2516 wrote to memory of 2716	2516	mscorsvw.exe	68
PID 2516 wrote to memory of 2716	2516	mscorsvw.exe	68
PID 2516 wrote to memory of 2716	2516	mscorsvw.exe	68
PID 2516 wrote to memory of 2716	2516	mscorsvw.exe	68
PID 2516 wrote to memory of 2852	2516	mscorsvw.exe	69
PID 2516 wrote to memory of 2852	2516	mscorsvw.exe	69
PID 2516 wrote to memory of 2852	2516	mscorsvw.exe	69
PID 2516 wrote to memory of 2852	2516	mscorsvw.exe	69
PID 2516 wrote to memory of 2376	2516	mscorsvw.exe	76
PID 2516 wrote to memory of 2376	2516	mscorsvw.exe	76
PID 2516 wrote to memory of 2376	2516	mscorsvw.exe	76
PID 2516 wrote to memory of 2376	2516	mscorsvw.exe	76
PID 2516 wrote to memory of 1644	2516	mscorsvw.exe	71
PID 2516 wrote to memory of 1644	2516	mscorsvw.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\21d51819cefab4b4d0ff4ba18e105480N.exe
"C:\Users\Admin\AppData\Local\Temp\21d51819cefab4b4d0ff4ba18e105480N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2568

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d4 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d8 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 240 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 244 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 240 -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 27c -NGENProcess 290 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a8 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 220 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 23c -NGENProcess 26c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 224 -NGENProcess 26c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 270 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2ac -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c4 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1096

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2444

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:236

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:868

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5b4c0a26be22302270a4283acc685929

SHA1
43cf6786c8d929831b956c430569cf735c8bad95

SHA256
cd9ac695531ea98406d11eed03c830d5a766025ddff0a68099cc0e0781788bd8

SHA512
33bf7a0b8fe71f1ebc64078721041235b8a4c2e5a48500e9efe743f147f6d33154be016a437943c1f03627d7711356555550e393979938c4d6c935d5cb0ac0e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
493309df703c7098b560da56126bad18

SHA1
8a6fb3672bbcc6f87d6fb9334cbf8f33ab5c29cc

SHA256
4570caebf9b2a77e4df71e4ebad41462c9b88036002f1b91838728b387914dc3

SHA512
ed602a831a4ae884952dfb5b2b9fe974470a39f754d0dbcc070032d2de2c2a32093e637780a29dc0a8a239f934f031f5c24abb35e720bf22934720ec4d71943e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
208b4d991a7dd40535c123e15d9917e9

SHA1
c6d0998489f250fafbf308f5067a4d97c027ba9e

SHA256
6c8937b4adbf6ab2abc6dafc9f009adefa3d69272c2c50df427ed6d84f53badf

SHA512
eb81d845565cc0837146e105c589c0df5bebe7914eb868a50980143f0fd54a343b64ed447939d8eda74507f0e2be192a1c3680458f17e3f57504db359c3ee9bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e07ed51e9c55cba15047076c86fe4690

SHA1
f3e7b0a141d2e80ca88275bcf51b2fc373fb225a

SHA256
b4e86ae5e1a4d55395025b07e808521d29a174f2cd8d3e71dba3eb91d54d1fd7

SHA512
394db4e09abeb8c7a0f8ca185c00da128e251a8e717b51e031b12720fb1279d3bc040edc8bd46c9e26c9ec1b9d2ad0912d5dd27e163907bd6a3d3d7bc87f9fcb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
e914abafcfa56d2fb1e09a43412e1996

SHA1
76a8faa08679def8e58b66eb59e94beb07167ecd

SHA256
71e8c71abc7c71104f7dc199c44a5e6e12a77b8420ab362b8ba43b4e2f3c16e3

SHA512
bdfba3c426101160e974069f7639ea114390bbc325a0c065caf0cd05ed4aed0dc14f41fadd0f89749eef208f45bef1c5c2fde35becf5c60df18d77c1e6f62348

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
1f6bb8f42e4d3118f83e2c95c4d07cea

SHA1
de881851db67f07137cf1964ddf0e553292d284d

SHA256
8fbf5d6a5e09f5e651b33f562945458d631fb2926bf817040b47ca5746b17786

SHA512
0349da5b2a7d0d8d7dedcff649c6f3dd107db775d5f9ea7e8957b6b385d34810913f393333fe984fc98c1841106dbe9f40df514ebef19bb21faced945b9942fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1db7ed3fd99ea919542d88e941d52319

SHA1
d41089f582390c2f8ecd4e073634e436d3b8f353

SHA256
9ed2f5f9096412ce4009250269d38edd94ef637022b8f9701301aa47fa512049

SHA512
7853f5b8c7f39f183cbd1f5d28e82a0a512c4cc763964e1d5757f86cc8a78df2e23187ef03bb1abf0473b4ff2474ecbdddd83403a2659d7229ffa3ef716f270f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
1a5be1a5f05e1ca3981126914b61f159

SHA1
8b4ca2133f499575a99d880aedbdc0e4d234d257

SHA256
cd34fb1238c691d4ed662e019295a6c3ed65cf253e61f574dc0cabebb141f543

SHA512
b64571f72a7021615e318e3f2cc2067a05ca50d7666b85317b917fb4c50892ed1ba4d7e93b196df1a0bab26cb58d003fbd6fd4e91f53a04f3735e2df40f9e6a7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
abca151f7cd3b08964f8a87cbcdd8325

SHA1
ab43bb9c62573783fc3c7eddf12c91a74c95d7d7

SHA256
7b2cdf6dd3a3834c69cc3553a28884c0748a70ddfa9a9bf406966dd8f79d5af9

SHA512
b8fc73e3dc3d5654a7ab84736e235414d0dd2edd402c5c80079dc3c65692e75f1849c190f39a593ea0ab5683391a863945744fea64ed5b7a91a497767a1d21d3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d90cdf1fa5aac64c866132becedb927c

SHA1
5c86ec87fdf515a7e24df810098b08c0030b27c5

SHA256
414c8eca547945332d7ab87595bdb7af0d67441ba0660f5c3a7431747f78f2ec

SHA512
8293ec17ba6821b9cf1c1265ace881b474c6920a8c7bf336f722aab36c53d66f003daf9acad9b3a35c6f8fd6924e618626e8fb7bc62654ab7b21dc124b1223b4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
93818f15f71ed99b32f6a1b675a8a9e7

SHA1
9817863e07fa4b431d5afec0d8566b7c4e5e7e29

SHA256
1e601511865781bfcd948fa9291e16641cf79fc017885010d715adade11288a1

SHA512
ac0c2169cac0b703359c2a13c52a5d432b301c9584044963cf4c663015ead5f48158c61f52b5cbb8267b9e2af81cc782920d564b6e0a7810de1c69c819d34947

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
706eae0e12364eb54414f83392f6745d

SHA1
f7592b2461daef10a868b4639e184a6bc70203c0

SHA256
2cc7334da2b6c52ac1ccc1ac09a54e330b3439ea177f8a5f2d9fee22fe806d46

SHA512
1ad1ef674031c6737e01f84a8a72babaf1d49435bc23e64caa6264855e8b5ee19ecb7ed2e70b896f1ae16044518e68100aafca6b503fd95d99e482c9ed6244bf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
8d2cf64545b558e9b98a13409db06346

SHA1
4e94d3f0a129aecf3219f7d6efb385854485796a

SHA256
73a1dc3964b5e3d8a281070c33a0af0086a046005a0c35bb5ca196d5ef763b53

SHA512
724b20c54dde350a2d8a6ee845fb2b86aa13cf479a61e1715b1e4f02fc9eef167a1dbfc0bdfae619dbfbce2ccb256d922cf5281eca0e633c53485bb3ea7706ac

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
4654b2f7f6f07fb205b8f9715af7060f

SHA1
feedc98f881561950e9438707d3c1b753b63d42c

SHA256
1c1cf483793783eb604708053364ce21313e7318894315f7d571d1c8e651a6f3

SHA512
b25236c1b1951401825bbeac3e60530f359cd50afa8b887d80cef41a39cc1b766030c5cb9719f4d7c41a8b5081c6d3c160bdf42aff2c29f276c85b3d7ac82e9c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c7f1db9dff499bc45292b2de165c8f08

SHA1
e71dffbddc5a0c94a3a317666791371697471d11

SHA256
83e7d79a49608d85065aace768f9447641c92de6e51a2221bdc917f1696b377b

SHA512
b43fb6e392f4e19c6b3fcd04fe86a1ec6e771b0f8a86ccea3b590b99fc011aa0f513c7b1251003a5a2b719a4dd3c4fa86566d85b809f55967965bbca4d33d491

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2eb5bcc45648bebd34fb8766a1d6109f

SHA1
43510bebcce45201f72ac340f7d7ee9b0b3a153e

SHA256
f07fd7951903c9298721fc59fb52ce358e8a5572d8df17377a08a08d91a4340d

SHA512
869e43bc892bfcc9a25f4163acebf4b558994d376d4f5827374ae23f347465adb8be3749975f612ea0c8124f52e57bcb4ec415cd09ae478ec93eca01f984f302

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
d56bacbf214ec1eec0bacfb418a37e9e

SHA1
3c2cce0c39b31c72ec966c22d356e3298a7a1e58

SHA256
a2dfc274a4eb3e291da9d2918689133622ca9d3f5add4154a6b0dc9b2ba76390

SHA512
57436ab2d09d83b1e81057c50b3955d2904098f811c7c144e1546bf7b6a8243d236097c4197f1a2d8eb1cf3e71a49d45bb5baea1d222bbb88ea9edbc9a8c5f76

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d651033eec45177525298d81696c1bef

SHA1
727c60404bc15de59d947b61142d8b1bc9e425a9

SHA256
dfe33f8e8866760e489a238ef0d62c304b57fc38a4c6175b73a79a68b0b3ba26

SHA512
118b27a59e7c6d9591d3543f44d6852c17e68c95ebcb0f86e667d476e92bf7624be9c1fd7a35e45d5e293181096ab8db7671b951c0fa395f15037f8b06edfd08

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
a4ee2c423efa6bb5293a2f2a16c6acfa

SHA1
7a17b88d8828db0905aa05b9d21d6ca0d5daf12b

SHA256
6ffde6cfd0182d8ef9bcef48407e45a9a6fa0d85849d58d1b501c1d6e89e7664

SHA512
f85bb4d3d0376977c14f43d488c0d46725c537ffad4c180943d8b1db79042e2b2d7236a472e574811abe9f56e32314e8d4596973bbb7b98dcfe8ca5df1150011

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9351246247c4d3a7cae5ba02aaa9467e

SHA1
d0b678618b74a60c2fef6980f92c7544b05b3709

SHA256
23a83f2d013e173eb466dffa1334e4e3e82a984bb6c48b0cb5869aa1a2911e38

SHA512
59989b6aa42b5e3e65c7555f9c0c41d554a25dcbbd0850778aa5cd95cdff232fd96673a2239a533cd678f25d1a4599d2391bd32dc5c28d55b203b754043639ec

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
2569740cd91d9b4653d5ec5703e9ae04

SHA1
115c74d0ed8ea009273a3eee910431cb05004681

SHA256
6b503a3f2a2e30cb67c79822d74ecfa56b44ca1a325c0c6496e6c2341daa3b70

SHA512
2ccd1fe72996aa1eb62eeb49a3c563c5ef8c5dda81a115a5104e9de2ed7a126a6004e0225c5ef3a27fffec5b3627ace479155f8c090976b0911018e4d3fdd780

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
667c0cc30c7976942424758ae9437348

SHA1
28722a2cf23d0f2d3a2755c64c2259ff3d8ca964

SHA256
2ab702e383e5a9ae180f6dcc79c46706c41133399e43d9fc986fe9e2c6064eec

SHA512
a6aa0f7bf65cbd17955ddc5a3071495989c4bccf82404447a55fe98c7c18b6b6fc343143505e4b79cf5eae3f4e0e919b3b70c4f8cabe4457e546c2c6a263ce76

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
db00a657aa8b00ac0e7a573eb074358b

SHA1
331522d3f669e06b58496a0de50ba259aa3ec735

SHA256
529fd3486e26b5e8dd05c49f2093c5b586b2b692f1b7070c3005be17a73ac037

SHA512
3b2065981d33c3158ba85613c9be9b6695468a485bcc68fa4d7c2f1bc1ebf9b3ae4661b3b539797b4e631d3651b5c133d43a7544a126ed8ca77a273f46f614af

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
ecf569b0b68df9dc04c62e22148c0e1f

SHA1
133281ad9c2ac57c15ca797dd7e83ae7f445b865

SHA256
789e770f0ea4efcd0ee1c0a41b465a8a13bc55b5702b0c59fd118f865d928d27

SHA512
423c8c911189fc4375453af0a8cb9d40809c2ad8b1afbec33fad9427f60a59b980c40df13f77fc50ea480ed5ac8d9ad96c9db47f4cd7b595da5ce2370bd937ce

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
727bd35e1ba150fec27ed8af11e52dbc

SHA1
40c2c2044c7cb3c3ff57f5b2bdf55263572f4d68

SHA256
9521d11327781d12dc98c4181f299bf69fbc2dd0db227ff4b81fca3d5d87336c

SHA512
e2a13b7f63871ed1b758d13f23ba19eb0d675166108f13d14c99235ae23512e3a863104f34e1e5478a5e14b22bfc8da879353c7d21f4472dae9e13b8e82bcb82

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b6fdb5454473e36e1128adf45ab9fe4d

SHA1
569036d240cdf78d30afa789b38ddde105c0b660

SHA256
ea138de067184e67cb14dde62ac1aec7186efe71e085e41fc4bff96efb7f5efc

SHA512
5a1fd31e674b3d5fb800e1d8817efbcd84c4bd21b473a5e91baeca6fedd58e7897edb296406edf91136c61a3a3d346d054dc67ee67de731a17721c4215418be5

Download Submit
memory/236-276-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/236-542-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/696-729-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/696-285-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/760-10-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/760-115-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/760-1-0x0000000000610000-0x0000000000676000-memory.dmp

Filesize
408KB

Download
memory/760-0-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/760-8-0x0000000000610000-0x0000000000676000-memory.dmp

Filesize
408KB

Download
memory/760-88-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/768-268-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/768-299-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/868-620-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/868-281-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/1096-109-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1096-189-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1096-813-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1096-102-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1096-108-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1188-321-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1188-780-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1464-216-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1464-117-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1464-123-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1464-699-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1464-116-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1588-459-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1588-502-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1600-508-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1600-270-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1644-641-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download
memory/1716-197-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1716-275-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1764-243-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1764-173-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1972-505-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1972-532-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2088-226-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2124-139-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2124-222-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2224-547-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2224-533-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2232-230-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2232-309-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2416-89-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2416-82-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2416-91-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2444-229-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2444-155-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2472-320-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2472-233-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2480-318-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2488-560-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2488-545-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2504-157-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2504-170-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2516-895-0x0000000001DD0000-0x0000000001EBC000-memory.dmp

Filesize
944KB

Download
memory/2516-893-0x0000000001DD0000-0x0000000001E74000-memory.dmp

Filesize
656KB

Download
memory/2516-64-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2516-63-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2516-898-0x0000000000B10000-0x0000000000B34000-memory.dmp

Filesize
144KB

Download
memory/2516-897-0x0000000001DD0000-0x0000000001E58000-memory.dmp

Filesize
544KB

Download
memory/2516-896-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2516-69-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2516-894-0x0000000002050000-0x00000000021EE000-memory.dmp

Filesize
1.6MB

Download
memory/2516-899-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/2516-892-0x0000000001DD0000-0x0000000001E5C000-memory.dmp

Filesize
560KB

Download
memory/2516-891-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/2516-890-0x0000000000950000-0x000000000096E000-memory.dmp

Filesize
120KB

Download
memory/2516-889-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/2516-900-0x0000000000B10000-0x0000000000B3A000-memory.dmp

Filesize
168KB

Download
memory/2516-182-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2516-901-0x0000000001DD0000-0x0000000001E36000-memory.dmp

Filesize
408KB

Download
memory/2528-94-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2528-49-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2528-55-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2528-48-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2552-401-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2552-467-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2568-75-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2568-31-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2568-39-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2568-32-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2688-255-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2688-221-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2744-27-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2744-143-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2744-18-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2744-19-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2772-763-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2772-144-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2796-393-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2840-280-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2840-220-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2860-258-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2860-244-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2896-181-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2896-184-0x0000000000530000-0x0000000000739000-memory.dmp

Filesize
2.0MB

Download
memory/2896-272-0x0000000000530000-0x0000000000739000-memory.dmp

Filesize
2.0MB

Download
memory/2896-265-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2972-136-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2972-15-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download