d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563c

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
Size

1.5MB
MD5

42dffda7afa826221343d37e53a35c20
SHA1

64731e64aafef9081333e2254ec8e321e57e560a
SHA256

d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563c
SHA512

f3a3f01d5a271679d3d20370033df74f4680be26df3e661cbb35b0033c15e5722decb8bc9abaf9d38bcdf2af3d9bb30708d0bab5cadb188b0b9660609f1ae001
SSDEEP

24576:kPjOIKX53RTh0tFda3SSkQ/7Gb8NLEbeZ:krOz53RTqti7kQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 56 IoCs

pid	Process
464	Process not Found
3048	alg.exe
2788	aspnet_state.exe
944	mscorsvw.exe
2620	mscorsvw.exe
1172	mscorsvw.exe
3044	mscorsvw.exe
1736	ehRecvr.exe
1340	ehsched.exe
1452	elevation_service.exe
1016	IEEtwCollector.exe
3024	GROOVE.EXE
3020	maintenanceservice.exe
2988	msdtc.exe
2348	msiexec.exe
3000	mscorsvw.exe
1376	OSE.EXE
1648	perfhost.exe
1744	locator.exe
3056	mscorsvw.exe
2740	snmptrap.exe
1564	vds.exe
2484	vssvc.exe
612	wbengine.exe
2628	mscorsvw.exe
1608	WmiApSrv.exe
1508	wmpnetwk.exe
2312	SearchIndexer.exe
2972	mscorsvw.exe
1576	mscorsvw.exe
2112	mscorsvw.exe
2832	mscorsvw.exe
1236	mscorsvw.exe
2396	mscorsvw.exe
2244	mscorsvw.exe
1444	mscorsvw.exe
1400	mscorsvw.exe
1496	mscorsvw.exe
2692	mscorsvw.exe
2128	mscorsvw.exe
2340	mscorsvw.exe
3064	mscorsvw.exe
1756	mscorsvw.exe
584	mscorsvw.exe
1340	mscorsvw.exe
3068	mscorsvw.exe
2968	mscorsvw.exe
1548	mscorsvw.exe
2072	mscorsvw.exe
1560	mscorsvw.exe
2556	mscorsvw.exe
2344	mscorsvw.exe
2688	mscorsvw.exe
1964	mscorsvw.exe
1016	mscorsvw.exe
1068	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2348	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
756	Process not Found
1016	mscorsvw.exe
1016	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5b8a6a475f6c6349.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\System32\vds.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\system32\locator.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe

Drops file in Windows directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP48A4.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a080798c853adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040fe3d8c853adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a05f408c853adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006079c893853adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{6EAAA7F4-2428-4E3B-A369-6E5956D3CE92}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1120	ehRec.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: 33	2768	EhTray.exe
Token: SeIncBasePriorityPrivilege	2768	EhTray.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeDebugPrivilege	1120	ehRec.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	2348	msiexec.exe
Token: SeBackupPrivilege	2484	vssvc.exe
Token: SeRestorePrivilege	2484	vssvc.exe
Token: SeAuditPrivilege	2484	vssvc.exe
Token: SeBackupPrivilege	612	wbengine.exe
Token: SeRestorePrivilege	612	wbengine.exe
Token: SeSecurityPrivilege	612	wbengine.exe
Token: 33	2768	EhTray.exe
Token: SeIncBasePriorityPrivilege	2768	EhTray.exe
Token: 33	1508	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1508	wmpnetwk.exe
Token: SeManageVolumePrivilege	2312	SearchIndexer.exe
Token: 33	2312	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2312	SearchIndexer.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeDebugPrivilege	2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
Token: SeDebugPrivilege	2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
Token: SeDebugPrivilege	2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
Token: SeDebugPrivilege	2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
Token: SeDebugPrivilege	2856	d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeDebugPrivilege	3048	alg.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe
Token: SeShutdownPrivilege	3044	mscorsvw.exe
Token: SeShutdownPrivilege	1172	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2768	EhTray.exe
2768	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2768	EhTray.exe
2768	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1068	SearchProtocolHost.exe
1068	SearchProtocolHost.exe
1068	SearchProtocolHost.exe
1068	SearchProtocolHost.exe
1068	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1708	SearchProtocolHost.exe
1068	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 3000	1172	mscorsvw.exe	48
PID 1172 wrote to memory of 3000	1172	mscorsvw.exe	48
PID 1172 wrote to memory of 3000	1172	mscorsvw.exe	48
PID 1172 wrote to memory of 3000	1172	mscorsvw.exe	48
PID 1172 wrote to memory of 3056	1172	mscorsvw.exe	52
PID 1172 wrote to memory of 3056	1172	mscorsvw.exe	52
PID 1172 wrote to memory of 3056	1172	mscorsvw.exe	52
PID 1172 wrote to memory of 3056	1172	mscorsvw.exe	52
PID 1172 wrote to memory of 2628	1172	mscorsvw.exe	57
PID 1172 wrote to memory of 2628	1172	mscorsvw.exe	57
PID 1172 wrote to memory of 2628	1172	mscorsvw.exe	57
PID 1172 wrote to memory of 2628	1172	mscorsvw.exe	57
PID 1172 wrote to memory of 2972	1172	mscorsvw.exe	61
PID 1172 wrote to memory of 2972	1172	mscorsvw.exe	61
PID 1172 wrote to memory of 2972	1172	mscorsvw.exe	61
PID 1172 wrote to memory of 2972	1172	mscorsvw.exe	61
PID 1172 wrote to memory of 1576	1172	mscorsvw.exe	62
PID 1172 wrote to memory of 1576	1172	mscorsvw.exe	62
PID 1172 wrote to memory of 1576	1172	mscorsvw.exe	62
PID 1172 wrote to memory of 1576	1172	mscorsvw.exe	62
PID 2312 wrote to memory of 1068	2312	SearchIndexer.exe	63
PID 2312 wrote to memory of 1068	2312	SearchIndexer.exe	63
PID 2312 wrote to memory of 1068	2312	SearchIndexer.exe	63
PID 2312 wrote to memory of 2320	2312	SearchIndexer.exe	64
PID 2312 wrote to memory of 2320	2312	SearchIndexer.exe	64
PID 2312 wrote to memory of 2320	2312	SearchIndexer.exe	64
PID 1172 wrote to memory of 2112	1172	mscorsvw.exe	65
PID 1172 wrote to memory of 2112	1172	mscorsvw.exe	65
PID 1172 wrote to memory of 2112	1172	mscorsvw.exe	65
PID 1172 wrote to memory of 2112	1172	mscorsvw.exe	65
PID 1172 wrote to memory of 2832	1172	mscorsvw.exe	66
PID 1172 wrote to memory of 2832	1172	mscorsvw.exe	66
PID 1172 wrote to memory of 2832	1172	mscorsvw.exe	66
PID 1172 wrote to memory of 2832	1172	mscorsvw.exe	66
PID 1172 wrote to memory of 1236	1172	mscorsvw.exe	67
PID 1172 wrote to memory of 1236	1172	mscorsvw.exe	67
PID 1172 wrote to memory of 1236	1172	mscorsvw.exe	67
PID 1172 wrote to memory of 1236	1172	mscorsvw.exe	67
PID 1172 wrote to memory of 2396	1172	mscorsvw.exe	68
PID 1172 wrote to memory of 2396	1172	mscorsvw.exe	68
PID 1172 wrote to memory of 2396	1172	mscorsvw.exe	68
PID 1172 wrote to memory of 2396	1172	mscorsvw.exe	68
PID 1172 wrote to memory of 2244	1172	mscorsvw.exe	69
PID 1172 wrote to memory of 2244	1172	mscorsvw.exe	69
PID 1172 wrote to memory of 2244	1172	mscorsvw.exe	69
PID 1172 wrote to memory of 2244	1172	mscorsvw.exe	69
PID 1172 wrote to memory of 1444	1172	mscorsvw.exe	70
PID 1172 wrote to memory of 1444	1172	mscorsvw.exe	70
PID 1172 wrote to memory of 1444	1172	mscorsvw.exe	70
PID 1172 wrote to memory of 1444	1172	mscorsvw.exe	70
PID 1172 wrote to memory of 1400	1172	mscorsvw.exe	71
PID 1172 wrote to memory of 1400	1172	mscorsvw.exe	71
PID 1172 wrote to memory of 1400	1172	mscorsvw.exe	71
PID 1172 wrote to memory of 1400	1172	mscorsvw.exe	71
PID 2312 wrote to memory of 1708	2312	SearchIndexer.exe	72
PID 2312 wrote to memory of 1708	2312	SearchIndexer.exe	72
PID 2312 wrote to memory of 1708	2312	SearchIndexer.exe	72
PID 1172 wrote to memory of 1496	1172	mscorsvw.exe	73
PID 1172 wrote to memory of 1496	1172	mscorsvw.exe	73
PID 1172 wrote to memory of 1496	1172	mscorsvw.exe	73
PID 1172 wrote to memory of 1496	1172	mscorsvw.exe	73
PID 1172 wrote to memory of 2692	1172	mscorsvw.exe	74
PID 1172 wrote to memory of 2692	1172	mscorsvw.exe	74
PID 1172 wrote to memory of 2692	1172	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe
"C:\Users\Admin\AppData\Local\Temp\d486166064dd49f907475a3153eabbb9da98782c5fc73ca77d23a47ac9fa563cN.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:944

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e0 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d4 -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 268 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 248 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 290 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 280 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1d8 -NGENProcess 1f8 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1e8 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 21c -NGENProcess 1f8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1c4 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f8 -NGENProcess 274 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c0 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1736

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
d0e18739cb064edececbd76d018fb156

SHA1
9efa293e378e1491d774bda3944581e7d0dc07dc

SHA256
4b283a373d31c287ad7166eaf435375017767bbe0b0686411110a3e2a77e779f

SHA512
1ee57c722927a6cf998a01c0cb8367f606a4fc5f65175334666426ba8e2f6a3b7c290a08da6c9135b4ae6d8735de21eadd7e504f7f4e73709f656f279b48d8e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d151a88a6ec9e106e1a76f5e11815540

SHA1
a434313177c7808e4c2d057fe30df3651715b6a0

SHA256
fdaa3aa01a9329250b643d8191f92d0b6a82437e4a507959c3e3a3337217471c

SHA512
8676235eaaa14823a44f5ed5e08f2c6da6530b05009c69237723b4ecb023a8bc192805b48ec7a28dd4b5b8f2ce6940eb92b281e27457413eff22c1fcdb8796bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bc5b601347fede488e2aa609916e7da0

SHA1
30b6352f8f82bba22a415c16db6346af59dc5574

SHA256
51588f8fda74090fc1af80cac08db09b84bc150f89e8b2adf5b2ec689052b14c

SHA512
f8d04e7eae7f5c4c0fcafa426a103663d33baca23dc3b2c7c7e57c09a2e9c5cba7897807c09d27b548f5013c3359b91072c2e3818b3511caeaa6c1b72081918a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0356f071a17fc4eb583e000c74c68e7a

SHA1
7dc39c4ce6c5ce55bc170331e2959ce28e12e93e

SHA256
1bead2243a6d30ae004e5222c003cecb1b56d3c6360321646ff35b6d3e2ac315

SHA512
222a7a2ad1b6737c0e8ead7f2059a6d201d5a72b90b137e5ad1ab00aec5b3592f2df94ce378b2b51d9de9f6b8369b54e69ea24023aca1f8e2aaba3e8ea7754e3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
16381046f09c865c755a38875b984683

SHA1
5afbe5362d1d6295abacafbe88a418135ce421be

SHA256
17136faec51c95fb456ab734f179d2a59524c7cf32330d08d582e69ae1e43338

SHA512
1adbd31f5187e6e577b97175d165c5e3df1ad0e582892f024dfa798d2ceee144f46b6f3fae2416b4b9f4e0ed8fd0bbd3eb4ae7d2cfbba05a6f7d83bb9961b58e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7F11.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar80D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c39736cdb974d22e739f63662ec1fc86

SHA1
ee590e959bcb4dfd96ac878b607a3e71884257ae

SHA256
8b9c871c9136740b4ae0ab1eed3288655f39addcbc1e23b2b32513977769ffaf

SHA512
8143349b0aa05cbc7c6b5a304ff145839670abf78f3cfaeeda163b4af55900ef26cbb7c1f5d349c5e955aee5fe000e2c78c1cf7adfc12a2b000a95d4b7c87917

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5f98cfc9ee6a99f9a1013853e6e30d2d

SHA1
00f1307fb4c9b4f29400b708e1f678a3fffdeada

SHA256
03cc4b48c8484191e3d3eae5614b2bcc393d99646b4177da2aa6b16ec0712859

SHA512
f897b5f0d240b3a2bd152edf8ba4111411f8ef14df2c7cb61f1cfeb5edfff030343a794f191e6640b01a9b4baae01acb52de9bb2880bfbfceed2573adf84218c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
98a9f1cbf7b31980737868a23f76cb3c

SHA1
09ebfcc71c73c4598907efdc6f88cedf156840fe

SHA256
781ef4537a494f7b4eeebcf291f2f07f9928ccf421c1e6da4fae28cee6d0753c

SHA512
32a6bbc9a31cf6fb88641201eac3720da4161fc62b2b6e89252111d004297b0460dcb9efab8c2c6969f21cfa8be502cdc5748e8b9f9a9fe5aedddac122b369e8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
584260428cab7f6b6e9e4c6d481b81dc

SHA1
45a63f75f34cfc5db10e212905414ebb6158c3bb

SHA256
1b07df4a3118ebaf4d4e96d38373004ad0471affdbcc7c2d465fd7c713f78c7c

SHA512
775f1f76cb6c42ad07ae20f9d8a558ebcce0ab5918ed157740491b92a2f945972a088238defab9c3ec6e9147d497513d95933c0a5485daa88d683677aa252c5b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
1211770a521331b04e12dadeba09af31

SHA1
5e6976db26e9fbacb9f1c57a13c6638aee6eec56

SHA256
14ae4e4e466494be7bbf077070ce437ad67957ac0265eb4e4371c3345b852f2c

SHA512
9cda1c8443665f5db51b1204779a76701a736bc9057af9dce32f37f39d139fced7a36df8aebde50825349083a63e32d85c37759366b7b9f57dcde800729bdeb9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
163ef9fc7ee5767259d88a312adeb881

SHA1
e9770b382970f8e2bea1226dedf361be54c468f0

SHA256
3c7b4e24603c780e327b33edec646b719739a853a201c5f30e2604c7025af19d

SHA512
4ddd23215926d751a95e91e20f57e249739f4188bf372fedb14d348f179f246432e9ded52c7196942dba7bd99cefb8527f83727e95ca97d8edf88657d3da0e6f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
bcfec18648a19a0eec0f63e57ef3669b

SHA1
1ea1968eaeeacdb02cd16f576b64248f2643636a

SHA256
e67a5625a54ab823bb931a53d7a9cde4c8c420b0420e2fbd52fb822b45bde37f

SHA512
4c3cc09144647f5a5396e6e1eeae715930e3786499fe98f431c53afc33a6f4d1f86f44f05520f5aa395a61ed9f5ca1ee544303f65fe863ae588c5702f8cf279f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
3fbcf69bdbe74e5e516476d0e7f4abc4

SHA1
374d0a9c6a903db1a87df69bbbc2a0d182481f30

SHA256
6e673005fd10e4f61e52341bd380886573480076458c33098bc15fb905284ce8

SHA512
36c0d0dcf8ab41883d3fb5daea5f21f83293a0c6fcb5de74238057500a91d40c28c3594e9a6980f614af7c150fb592153cab2ff4657ad35ceae42efd817d02df

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9a1baa0e29ba4bdd3426308ca3dedb1f

SHA1
053d8a8a1d3d520c08f36b38ed5eda214844a37f

SHA256
b42dd952723ad5bb2b14e36f9da6a20ba618ac00b4fb2432449db3e1fcab451f

SHA512
81ca174cb6e4e1ecc1640e831ce30f0dde34fac74e3e86270a99906e289489a10454508b974577c7e128e1e149d6742155c392f0cc1adea3848bcb051101db83

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
08065a2e79c703a4731dd97555740ce7

SHA1
46d8b3a7ec8543a9e34b36d537ae1d2a7b4cd773

SHA256
56ea48fd640b6f163c105b49a5c81cba86c10520275203dd33f66fa5aea6593d

SHA512
0fd58bd2d83de7ad0238b38e27a20c1b2d8298bef0e6fb5a60317d1e7149aa747048b48aea2948f4765a8d1a4838b25c30730781c1e60c42a21de795d1c225eb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
f7bb135e6b48279de4fea150c4630896

SHA1
d6185e057507cf54b458b5b0ba86b765e2cb4276

SHA256
078261d37f69d91ffc43aeeddb003bb41b151131c0f5cfcd8cbd72d4fde78158

SHA512
67241eb3247bcb3fedd8dbfb3e8e099e20414880ea9a1cff273bd1bd7c2a5c3d2f2142ebce87417a73637c91021ff153e18ca680d4b81f78eba342f8161a817f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
a7a1a882aaf931159af2564321ac289b

SHA1
6c7aa69612ae1bc112615d6b34b3e4b85d3f37a4

SHA256
2ea433d4e47608c3a8ae3b138dd685199725f23ddcf5e07c60f7b64810d9e570

SHA512
c863413148008afa8cb1601e3d9401816f61e2566d535955082962d9853ed400e8f8d9b6e31f6180020bea2a8dc1eaac2abb16f8e702958128b9ecb993908974

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
72dcf17c0cb0f79f5598b1021813c1e0

SHA1
7fcb3087d175163a2bb769150c1164350e3242bd

SHA256
3aa63dfc10aa9db40a3a0532ac05436a0ae509955f9050db266c4100e517e2ea

SHA512
20921da4b101eff5262fa3ed6a1793ecbe4545535d0b19f8ff373954e6a6f6f9dea36fb4d5eb2fe6ff03cd8fe4af0942566da366c7d6c6a69bdc100acfdeb09a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
63e2af826be07dae41a2dd2a105293dd

SHA1
a3782d28301acc190e8f0cea74c57269edd22498

SHA256
93d71c82b88e632d4050ea8beafb2d87a60971b3778ab4f02b7083b8ba9cb0b1

SHA512
c39aceb215f91e5b7348ad291ab56246d7a9887eb6f6127bb11806433bf7089824da764c33915f0278ce60b17d7ab5f7f0327140c02e3228ed0a09be921ffde4

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
a4d387c45cb5edcdb9fc34fe45bf8a5a

SHA1
da55db510952b68a20d33ae7f91b0c6b40052087

SHA256
f000c7d824b0e34ec7a19398e727e866a54e5c63d68dff2f4c23fa882a1b2564

SHA512
412bd778468548a150467e22e5635ffed7dd56f7de13e2d0870e49421599f272f589d8348c21edb16c5d1e1934bb353bdfe3060192f972576e5fb2e1ce52ce6e

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
04f693aa8c71fea3691cbe1372262a6c

SHA1
a617ace82c4f44afc3fb5d92e48114f016edbd33

SHA256
f75f5277c5ea13144031f17ecae9282b986fd890a0f2ebdf2d017d932a9f2cf9

SHA512
beaa1ced2dd5777ba7037dfbee42539a70c9c0b12e4356a566fa22997e2d8f7be654a4d185c0e963647aff26e9c868d786458b870ee1bbd56457fc195cf3cf51

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
68d8cd939c925e457c5df8820d8b0be3

SHA1
c94c06af4a3235d6305154bb811efc7dfc39af38

SHA256
75bb10bdce43fa806d625ec11e8ec514b01024c338e62d6d35f309388ae939ec

SHA512
016e7329deed50988f31ddb83a0584a703a7931ecc8037687d9959e1f19e92a5363bdb3966339ef0183fc2b6529797709d695df6c47a72b37e5736af9100b800

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
cad2a7b0f5b902edae9f23c1658eb62f

SHA1
15dd07059800da193f96f5269d83f43badd6e5e6

SHA256
f343de9eef2cb3e8038ff008d1280e5edc7f9774866bc9bc5eb6c05bc6064949

SHA512
e35f7e4edba937ca805a72f43547d01bed4002c471e397fcf89cf6e7dd5d1a4e29e2043821c3ca4e478db31afc9c614a36ea20c3839103fbc3725dd01e85d05e

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
938ced45f73dd5a5fc8711b82493cc20

SHA1
625ebc7475518a1d5d5dd6dcd03bb88cec77e1ff

SHA256
60c55e00e1f10b5090fd6ddb6315f27c02b99b402060723165ca1d55561962b6

SHA512
14d4dd69b815ed36554f7f3931cc85a28293ac3c2d8ec2be7993e5f3a01ba8ab823977d0134804bf50f191bd7ca255c6b91f52a56e0fc9f1c11cca76a5902b1b

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
7a0b084512d1bcb93973e007df72244d

SHA1
26230c144ae083fc5e931946f0b17c4fa4cf1d20

SHA256
57bfc6a4caaffd1c6509f96541805d958ddbd0cddcfb8a7329642dba05d53806

SHA512
09f5d861f20732e4b6b37f8ed96acaddc40a0883a0d65e4eeff50ab584b2b962384cbe30ebf2bc23b70806045409e0a62ddaf49fc7d89deab5abf8b79c573bae

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
878aa53ff0bc58e675c7580ca088b86c

SHA1
bb800f4930052ee16febb22d8e7ed9255a3b944e

SHA256
1190b1ecdd4416d5e15c3b8c8aac1e172862fa4ad149e4a02bf6be17a70f7c12

SHA512
a99dc088462e48d5df9499e108be3952ee85c35c31d4ef71cfd42005dca7add1bd9fbc9a7f030fc054f2d9f801e7d79e8d514567e9218e826c3582a01040bd7f

Download Submit
memory/584-920-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/612-688-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/612-433-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/944-141-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/944-48-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/944-54-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/944-49-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/1016-897-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1016-265-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1172-122-0x0000000000B70000-0x0000000000BD6000-memory.dmp

Filesize
408KB

Download
memory/1172-293-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1172-116-0x0000000000B70000-0x0000000000BD6000-memory.dmp

Filesize
408KB

Download
memory/1172-98-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1236-736-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1236-706-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1340-799-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1340-919-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1340-230-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1340-325-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1340-930-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1376-347-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/1376-432-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/1400-826-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1444-793-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1452-251-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1452-327-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1496-822-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1496-845-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1508-762-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1508-465-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1548-955-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1560-969-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1564-601-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/1564-408-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/1576-676-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1576-611-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1608-754-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/1608-461-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/1648-438-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/1648-359-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/1736-191-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1736-322-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1736-190-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1736-197-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1744-363-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/1744-458-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/1756-908-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2072-968-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2072-980-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2112-692-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2128-868-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2128-857-0x0000000003D10000-0x0000000003DCA000-memory.dmp

Filesize
744KB

Download
memory/2244-771-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2244-755-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2312-483-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2312-763-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2340-881-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2340-869-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2348-323-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/2348-326-0x0000000000550000-0x0000000000699000-memory.dmp

Filesize
1.3MB

Download
memory/2348-410-0x0000000000550000-0x0000000000699000-memory.dmp

Filesize
1.3MB

Download
memory/2348-399-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/2396-753-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2396-730-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2484-420-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2484-668-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2620-173-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-72-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2620-78-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2620-71-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2628-443-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2628-571-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2692-856-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2740-569-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2740-394-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2788-275-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2788-29-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2788-30-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2788-38-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2832-723-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2832-689-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2856-189-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2856-1-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/2856-6-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/2856-0-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2968-952-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2968-938-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2972-619-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2972-574-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2988-292-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2988-374-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/3000-385-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3000-321-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3020-306-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3020-287-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3024-277-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3024-346-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3044-152-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3044-160-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/3044-308-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3044-154-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/3048-22-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3048-23-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3048-15-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-16-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3048-244-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/3056-449-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3056-382-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3064-879-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3064-894-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3068-941-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download