umbral | dbe3ee56b5cc22b5309005a8624b7cc24f5f7260e9bc38d8d223875f2fb81ba4

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sultan cracked.exe
Size

2.0MB
MD5

000142d2c4961a9715157529ee679f27
SHA1

e12ef916e551260a295cad737602c897781cc656
SHA256

dbe3ee56b5cc22b5309005a8624b7cc24f5f7260e9bc38d8d223875f2fb81ba4
SHA512

b76fbacdc4bc8172c948d2d68b2506e4c69b43d4462765dbdab37cbc773c081132b555ed072e39e5a5666f734d62374512d9ae4a0660bc90c8e7db0218bba0dc
SSDEEP

24576:Vof3ZI06UZjoiAuB2Tu6kbRTYnnk2FbMNyBo4kx929bL3Hnx1I88:a/Zsxu0zq5QnJB+kn3HnxW

Score

10^/10

umbral discovery spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1335254124253413517/uwBpTlieTdiOYJaHRQIeu3mJguPts6lG5cFLgccyNKTxKFm8dcpNOpkj0n1uwUr2-9OZ

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000197fd-9.dat	family_umbral
behavioral1/memory/2380-23-0x0000000001300000-0x0000000001340000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Executes dropped EXE 52 IoCs

pid	Process
756	ERNS X!TERS.exe
2380	svchost.exe
464	Process not Found
2848	alg.exe
2896	aspnet_state.exe
1740	mscorsvw.exe
3016	mscorsvw.exe
2056	mscorsvw.exe
1776	mscorsvw.exe
1372	ehRecvr.exe
2672	ehsched.exe
2096	elevation_service.exe
668	IEEtwCollector.exe
3040	GROOVE.EXE
1900	maintenanceservice.exe
2548	msdtc.exe
2172	mscorsvw.exe
1852	msiexec.exe
2036	OSE.EXE
2224	perfhost.exe
1460	locator.exe
2992	snmptrap.exe
1544	vds.exe
1556	vssvc.exe
2324	wbengine.exe
456	WmiApSrv.exe
2292	mscorsvw.exe
1868	wmpnetwk.exe
2792	mscorsvw.exe
2372	SearchIndexer.exe
972	mscorsvw.exe
2072	mscorsvw.exe
1784	mscorsvw.exe
2920	mscorsvw.exe
1456	mscorsvw.exe
2316	mscorsvw.exe
836	mscorsvw.exe
2940	mscorsvw.exe
1552	mscorsvw.exe
2556	mscorsvw.exe
472	mscorsvw.exe
2824	mscorsvw.exe
2248	mscorsvw.exe
848	mscorsvw.exe
2836	mscorsvw.exe
1020	mscorsvw.exe
1400	mscorsvw.exe
1676	mscorsvw.exe
2444	mscorsvw.exe
2488	mscorsvw.exe
2524	mscorsvw.exe
2592	mscorsvw.exe

Loads dropped DLL 16 IoCs

pid	Process
2568	sultan cracked.exe
464	Process not Found
464	Process not Found
2492	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1852	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
748	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	ip-api.com

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\506bd3085f6c6349.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\System32\vds.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\ACTIVADA.wav	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ERNS X!TERS.exe
File created	C:\Windows\0704.wav	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ERNS X!TERS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ERNS X!TERS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ERNS X!TERS.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
2136	ehRec.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe
756	ERNS X!TERS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
756	ERNS X!TERS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	756	ERNS X!TERS.exe
Token: SeShutdownPrivilege	2056	mscorsvw.exe
Token: SeShutdownPrivilege	1776	mscorsvw.exe
Token: SeDebugPrivilege	2380	svchost.exe
Token: 33	2176	EhTray.exe
Token: SeIncBasePriorityPrivilege	2176	EhTray.exe
Token: SeShutdownPrivilege	2056	mscorsvw.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: SeShutdownPrivilege	1776	mscorsvw.exe
Token: SeDebugPrivilege	2136	ehRec.exe
Token: SeShutdownPrivilege	2056	mscorsvw.exe
Token: SeShutdownPrivilege	2056	mscorsvw.exe
Token: SeShutdownPrivilege	1776	mscorsvw.exe
Token: SeShutdownPrivilege	1776	mscorsvw.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeSecurityPrivilege	1852	msiexec.exe
Token: SeBackupPrivilege	1556	vssvc.exe
Token: SeRestorePrivilege	1556	vssvc.exe
Token: SeAuditPrivilege	1556	vssvc.exe
Token: SeBackupPrivilege	2324	wbengine.exe
Token: SeRestorePrivilege	2324	wbengine.exe
Token: SeSecurityPrivilege	2324	wbengine.exe
Token: 33	2176	EhTray.exe
Token: SeIncBasePriorityPrivilege	2176	EhTray.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2176	EhTray.exe
2176	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2176	EhTray.exe
2176	EhTray.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
756	ERNS X!TERS.exe
2084	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2084	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe
2488	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 756	2568	sultan cracked.exe	30
PID 2568 wrote to memory of 756	2568	sultan cracked.exe	30
PID 2568 wrote to memory of 756	2568	sultan cracked.exe	30
PID 2568 wrote to memory of 2380	2568	sultan cracked.exe	31
PID 2568 wrote to memory of 2380	2568	sultan cracked.exe	31
PID 2568 wrote to memory of 2380	2568	sultan cracked.exe	31
PID 756 wrote to memory of 744	756	ERNS X!TERS.exe	39
PID 756 wrote to memory of 744	756	ERNS X!TERS.exe	39
PID 756 wrote to memory of 744	756	ERNS X!TERS.exe	39
PID 744 wrote to memory of 2028	744	cmd.exe	40
PID 744 wrote to memory of 2028	744	cmd.exe	40
PID 744 wrote to memory of 2028	744	cmd.exe	40
PID 744 wrote to memory of 520	744	cmd.exe	41
PID 744 wrote to memory of 520	744	cmd.exe	41
PID 744 wrote to memory of 520	744	cmd.exe	41
PID 744 wrote to memory of 1120	744	cmd.exe	42
PID 744 wrote to memory of 1120	744	cmd.exe	42
PID 744 wrote to memory of 1120	744	cmd.exe	42
PID 2380 wrote to memory of 2796	2380	svchost.exe	50
PID 2380 wrote to memory of 2796	2380	svchost.exe	50
PID 2380 wrote to memory of 2796	2380	svchost.exe	50
PID 2056 wrote to memory of 2172	2056	mscorsvw.exe	56
PID 2056 wrote to memory of 2172	2056	mscorsvw.exe	56
PID 2056 wrote to memory of 2172	2056	mscorsvw.exe	56
PID 2056 wrote to memory of 2172	2056	mscorsvw.exe	56
PID 2056 wrote to memory of 2292	2056	mscorsvw.exe	66
PID 2056 wrote to memory of 2292	2056	mscorsvw.exe	66
PID 2056 wrote to memory of 2292	2056	mscorsvw.exe	66
PID 2056 wrote to memory of 2292	2056	mscorsvw.exe	66
PID 2056 wrote to memory of 2792	2056	mscorsvw.exe	68
PID 2056 wrote to memory of 2792	2056	mscorsvw.exe	68
PID 2056 wrote to memory of 2792	2056	mscorsvw.exe	68
PID 2056 wrote to memory of 2792	2056	mscorsvw.exe	68
PID 2056 wrote to memory of 972	2056	mscorsvw.exe	70
PID 2056 wrote to memory of 972	2056	mscorsvw.exe	70
PID 2056 wrote to memory of 972	2056	mscorsvw.exe	70
PID 2056 wrote to memory of 972	2056	mscorsvw.exe	70
PID 2056 wrote to memory of 2072	2056	mscorsvw.exe	71
PID 2056 wrote to memory of 2072	2056	mscorsvw.exe	71
PID 2056 wrote to memory of 2072	2056	mscorsvw.exe	71
PID 2056 wrote to memory of 2072	2056	mscorsvw.exe	71
PID 2056 wrote to memory of 1784	2056	mscorsvw.exe	72
PID 2056 wrote to memory of 1784	2056	mscorsvw.exe	72
PID 2056 wrote to memory of 1784	2056	mscorsvw.exe	72
PID 2056 wrote to memory of 1784	2056	mscorsvw.exe	72
PID 2056 wrote to memory of 2920	2056	mscorsvw.exe	73
PID 2056 wrote to memory of 2920	2056	mscorsvw.exe	73
PID 2056 wrote to memory of 2920	2056	mscorsvw.exe	73
PID 2056 wrote to memory of 2920	2056	mscorsvw.exe	73
PID 2056 wrote to memory of 1456	2056	mscorsvw.exe	74
PID 2056 wrote to memory of 1456	2056	mscorsvw.exe	74
PID 2056 wrote to memory of 1456	2056	mscorsvw.exe	74
PID 2056 wrote to memory of 1456	2056	mscorsvw.exe	74
PID 2056 wrote to memory of 2316	2056	mscorsvw.exe	75
PID 2056 wrote to memory of 2316	2056	mscorsvw.exe	75
PID 2056 wrote to memory of 2316	2056	mscorsvw.exe	75
PID 2056 wrote to memory of 2316	2056	mscorsvw.exe	75
PID 2056 wrote to memory of 836	2056	mscorsvw.exe	76
PID 2056 wrote to memory of 836	2056	mscorsvw.exe	76
PID 2056 wrote to memory of 836	2056	mscorsvw.exe	76
PID 2056 wrote to memory of 836	2056	mscorsvw.exe	76
PID 2056 wrote to memory of 2940	2056	mscorsvw.exe	77
PID 2056 wrote to memory of 2940	2056	mscorsvw.exe	77
PID 2056 wrote to memory of 2940	2056	mscorsvw.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sultan cracked.exe
"C:\Users\Admin\AppData\Local\Temp\sultan cracked.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe
  "C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe" MD5
      4⤵
      PID:2028
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:520
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:1120
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2796

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1740

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e0 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 264 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 268 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 23c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 274 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 274 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 260 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 290 -NGENProcess 258 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 258 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 270 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2a4 -NGENProcess 290 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 270 -NGENProcess 2ac -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1372

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:668

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:456

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1868

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2372
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 600 604 612 65536 608
  2⤵
  - Modifies data under HKEY_USERS
  PID:1964
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
3bfcf1ccc10bfe34f4ff9f4031923de5

SHA1
ae6c4d9770feeed6367b9ca9a0d32661b333cb89

SHA256
7003b43e49ad7525f3383514f8f5d60b7ac18ca8ad64cd95e1a0f8cbe282eaad

SHA512
0e6b1077b17de0ba19e6aea3a805fe0854c2dbc01448fde9ed8a6e297842343c519e324bcabf155126f17c28bde85dd118aad3df547ae050102a7fb55c193fb9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
9e8f2ee1771e5106ef9e372221cbe930

SHA1
6da82724fd64c73cd4213f94e7c92d20c42cf22f

SHA256
8aec3fa65ed825d837d5cbd0234838058384f683b2461e91012d46d799d571f0

SHA512
0fa08fdd8b878d6a939dd2cf4c09a028b4c6a1552effd731764ce06fb216449bb2fa35d6a4ca79af1e9143b74750eff212ff6c9b16da4000b5abc16da62630c4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
75d0e1e3953b6adfc5c66dab73ae1a37

SHA1
e92936d0551ae38e05d0586be5164db07cf4eaaa

SHA256
6230c56b28bf9c99e9f321bc0312f7046d2227ac3372c1b51add7bf9a0b251e2

SHA512
4e10a6deab1936a806d3d454e144bd56a66ce23eb6cf0eb6c27c942deee4827476c0441f3aabce67e00c7d9f85b7c99036a85c4793837d04134b463fb7040e98

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b5cdfe344000ec75d51e3c4ac0da9a62

SHA1
2f64e9ccccb603375d782ae4cbe2c11bef484534

SHA256
443b446efbcfdd3e4b80e4b279753becfb7d57361b66edae6bafa0cf03ceed3b

SHA512
5c89b377766d32ffd923b53def89ee842f84616db2cb1f99f607ffb93c365a109c93f8c8ddc9eec83ade36c14366dee5d607efb9c21b1ed12b6be1e2aecbc713

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
463819d254cfb04d35fd69ac2739d89d

SHA1
1f73b6d11e1004634606d372c6df62f87d316187

SHA256
c931806c21873080fe24aba05fe06bd9b1466b7b6d7d3a45162096af0b0200fe

SHA512
7fe423c8a431df0412f768265c4988f58849704ef50edbc80fc79beadcd7067196734e71d88614a2d34ef75f6ac3160c001aaea30a255974fc07be7dad8cfa8b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
45568f9c05d3e1dbc2bd5eef8bae7dc9

SHA1
b28b2cf9e1663b86422e46f6abe330649ef0c13d

SHA256
a280ae172b750a5e51fe3719643b703872ea3e17f8d59d6240cb337fdb2f19fc

SHA512
e2c4949b77437ffa6ceff85de18810f9b58a7ec70b9e06d18ee6e57f91a1479e0c33fd70405fd145cd4382be860a42f5ba8d6a479e7251d7fd96e47fd0102397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe

Filesize
1.8MB

MD5
8c110834053f57e14ced24c9e8b135c0

SHA1
e244e2a297059871cb28b75b1ea755d356ae60ec

SHA256
63ad8f6ab5596ed4ea35936d726fdecf520d5f70d6a976c765d8c59341f1e118

SHA512
77c25c6f2cb8aa004760c845358074bf2995382965578048ca7be3b32a10646983dfef6dda3ccbc022b7546bd12da5eb293406c39ba44e7679879750c0ac58b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE9BA.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
230KB

MD5
e8b96113d79f611db9ef00ef0a3f9dfe

SHA1
2b1031c270cbb9aa3f0f60f41aca340c43540e6a

SHA256
4611c4fed4d9baf0bff00023a23a5e039208452da1460c4d0ea0ff90a04ec54e

SHA512
7121fe3982912f345ac07bbe823ccc04e5a03d9d4097ac167e3aa5544803aef31a76cc9395337b3d0f8483e626e9567f113bb89db8c60375fa84ba65a50f1f7d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
ee17b242c18b7ee5c8867807550fa473

SHA1
3687058565bf0cc5932ed2714606be404f062e97

SHA256
ba4eb72f4213730dd559c598daa392ad6bb285f6665e1f9282379a819b353c01

SHA512
babe03fa28ba9a1396938a6c4e8893686d7e4c1acc2162bc48160f218ad1643be5237f0cdbe2fb4641c819e715daf589723d99b77dec5edaa5b2f8fff6d91001

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d350b2ab4e5c30c42dea30371134d738

SHA1
0a79f7e3f1cbb5493a9b7074d9b18bf3a487dd64

SHA256
6f779acd1750b4e4ca37718d1661084ab235cc97bc8cf1fadb597fb39aafd807

SHA512
c9a21e9405281f343687ce4c27d279bdd106cffa8ad7b47d4c4d11fdf37ac7914b4fb7105f7ad27a822f4cc773afa35f30899b964ba55f6af67f92ffdd0d6deb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
8bf32794b03233ba9f88be382c16c332

SHA1
f68eabaad2f13f7e63297e4e44c9e522c987b64e

SHA256
203cd3e515a475f862c40d181953a94921a546fa961ddabd7988c8b7a78f33db

SHA512
b532387b40f054069f4cfc4f263a52488b471fe0e04f3833715a440836ddd037de72ff2f52f745a5a2ac1ac3cc2f6cd0bf262d2726080abf713e7a8c1d55d561

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b656c64bc25aabd69cd430383c9e9b88

SHA1
cfd97d3cc404eb045a105e8f2b3779ae8e7e4818

SHA256
d50f7ecd854644788fce4188ab2123cbe9ebc444c732e314ccb1da841a834d77

SHA512
fe1d8f4006d2a5344222830781b6f9f6c2175a9a48bae4f45af46334cf40e2acd38198862786175e63ebe7faad0b0874bf6d07f855bcf0fbf508752e1aa3c399

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
7975dd9fa3fbc1463b269cea466902f2

SHA1
c342a7927b9c3f3f37676190191c736fd657aaa1

SHA256
ad70bdfaa59a0bcd719df9c0f6796ba1bbf645c2aea008e8d1eea5cdb5069090

SHA512
ad2720db69e86d9299597b2dbf8ce0d6a73f77647ab2c0096f1c1b2f3bc7a13151da33e13a67f0fc0d24aec6636a553ffe90e1f71bd7cbc7f0c3ed6e4ba719fb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7cf6ff4c21a8c3f64f9b0786a82e0420

SHA1
71dfb94b7bf3558e8c48ff5f9b7aee2edb5d623c

SHA256
6de7922030f81a4632ab2907fc27a8e0c28b45af7756cb323d0125c004c37306

SHA512
8853812eababec76c5c09c63057b992f81ffe163c5967cff10ffd8dcc413ca4afa9376ee98378a55b01d5aae373fa2073e0c626ce37649810b27cc4dd1da67ac

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
a8074b78e7ad3e3d3f493f6d28520796

SHA1
17dda556912a994921db1e684281d2ca1f4a47f8

SHA256
c015469609bd0591785db65679974ab25a7e0fe4fabeb292c90be8055d2573d5

SHA512
6e07a865de45b02310d5dad9a7e833e943bd0b5133abbd4e43476a2e2a3e1945f9f1af219d333df7c3670395c4ea2c91ef7de891e04b4c11485237cdf8aab454

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
b7ffb2571ee82ea5312a21a90c7e491a

SHA1
7beaab5d81e3d97e708370e33caf62d1eb53760b

SHA256
635e28d2c78a5ac8b90ec73d8776e007124835fec8b995cc43e9328f5ca87fcb

SHA512
f090cf723d9c5e1ee1a6668372292868397d6f7d1913843df721411d55e85d34bbc9bbd2120c4a6f828b31152c5a642181b60eeb2274c4e67d9bcbf85460f2a4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
1629dd980eb5d2b3d14333d9c46aef9a

SHA1
4dca78497cbe39f0c285018b12822c57363566e9

SHA256
36c7478b808513eb4fa0e842c674b1ff9b9575fef589392bd8ea45af4dfbcb4e

SHA512
d6b6c310f14b4f006ff3627e3a2fd2b492efd57894ce69eefef8c30c45918fcbdd87ca5a685b36e30be3f0f10fee9cb2b17ce9074e97a081883456eb5950ac74

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b733bbfb0eff579ee95bbedc34f1cbf8

SHA1
ede43891237e3be0726cc55da9d181adb8a76cb5

SHA256
45d5635a2c8a2d0959fb2ab7f3ff40a931d6b23ae8e5d2f1436ad9cc291ebff9

SHA512
7b62ac150693ea8de6f34624d2dd5ed8a5ba0c03c8863a84fb5db62aa6b2a71537529acb8eb08f7e59eff6ea19fe31886701d85ad45e2faa79022bfb3478a6de

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
85625053393a45f28df8b3ac897a376a

SHA1
f7f5e040094fa5b7b283599fcc69a45ed98963e3

SHA256
dfb5112a164e9818879277b2f2a4b3d3b1e2471e3394069a7a677f5f46606a71

SHA512
2d6767e4b038a3273121ef0f27e95593cf72b38fe9cd125c0b046406525a3104d7be87e4020470bfcc4557958d787c9eb32003652fb07241bb75b7ef6b159100

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
eb052ca64f08a24c6a6ad0bd02dbc4f6

SHA1
7424c30749b02497f650037ef23ed1c39245bd0d

SHA256
ec942c542397a37ce940e606f6138c3c527ebb97c4b011b4e52f1fef547cd11a

SHA512
bbfd1ce9e87a2a74cb5be5d55a09b20ce338aa3c06a7040a7dd84490dfd0a7974b3eec560d58149228cc2b679475f7917afd6b3af850d041c8cee5cd435093bb

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
85e03571c07d231ca7b538072daf9f9c

SHA1
56aca0eaeadfcd0e61e52e3ca679a92de44062a3

SHA256
a509ff4c1a2075d95e94808260639aa6795c5012f07f93c42d3a4a16f263d37f

SHA512
818060e06cc387f18d2382f6e34f1b11683fb18a0237adcace2d35be0252c5b73890c498233d212c62f847ca6cd323209e1006402374e6354cd87b04baf22d46

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7e1d32033bdf590a499560d0dd0b9995

SHA1
b455e6ab45aa82a32150a975d1dc7cb4f1583dae

SHA256
83b930ddc208f4a58c6b489ae08c7255733b4ec28e86a7aa7367ad478f3a2b6d

SHA512
5ef85c2d1c77852c6d646c558bd1092108baac9f9c2df4398d60d6e533558088e8fcf0fdbcf2ec92c3f802dc49914144dd9a7d592e4b0152fc7db2e61c8b9440

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
cafd2e02c0081cea5d5a485602329d5e

SHA1
aa0740e9518f4d6bef0d41344d764862928a2810

SHA256
af68959f54e649e955d6723b231975f1cdf7c0a890a6ae48103269def825e200

SHA512
05ffa28924155ae6f56a38f416f41cffada1830b825efb1f36050e5eeb577bb982cfb5cc7e420728cc576d3d7c556587f5de712a608f1fb7fbe10c81482cb76d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
c7dde93c4cc1afea9773460ed463513e

SHA1
061ef9ab26c8505b0302ff9c79ef2cdfa9f2bde0

SHA256
f9cc2bd3eba8731bf992eec2e9bb977f9e1c646a0ae1b640ad1016015ed50f26

SHA512
4753d4696bc69f9658c2caf0637aced253821a602b34708cf1849ece73ecd079a9ff5cd9f7e098af9045c8746af7261b6735ff983eab4e63951129e2c69a2bc9

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6eec0e4eb1b6ee767e7443911114df80

SHA1
29881bae0169a46ff6776e5d7cd1b22d1d0fe3d6

SHA256
0a5ef54c942ed6378a655fed1e5cff56e4079d6ebecb0cd00bc634741b5e3d7f

SHA512
3b0731ecd34f71b15a061ec94cfa4aa52e8ee617f2d5aa02f7f53deaf67dedc3175947a0a4311aa8995355a0b65c6886b5917674989f970fe52333cb2df4c962

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3a31afae2c00273f335104e540b36fc5

SHA1
901217fa7f52baffec36804b5bfaad18d7405bfa

SHA256
7add6d27acc9fba7c77d0bc7fa0d60d3ee7e24c7fc36004c861849c1841c7b18

SHA512
c84a9ca8ff5ecc85f1c2a78c0aef0e1b57bc115022bf25dd2f1dfc59eb1f8e73216a756e2a8c0d13dc4c832dc612ebd29529b485c49242723c0cc7a8dd25b80d

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
471a7b6c1f7d6d26c7c77b88f6d849c1

SHA1
55a2f5f866762eaeb2012b228286554b04cd4759

SHA256
4f688e318297851e185bccfbf02849b729aa280b9d867c15071902b0037d3e9c

SHA512
0d722ef120d67be8d7193524f03688db8665df63f6934cf0674c53c10a7846afe5d93a92449824377d25b791e1516d04bb4327288ad5d2bc759dfc3b211ca2a9

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
059958025846effbd0950007889e5c21

SHA1
a2f473fba51ae86bc92101936be7178f0eca9c5d

SHA256
580e2574865668199044c30c0ae5e0ef29af115bc9ee9504ea3f54ca400b4bf4

SHA512
48d69cab5d1d38e5d9adfa852d2524f83513c17a3938af63f89b88c4621d2f2b3612c442ca20dc5853dda23eb94260b42a4b2b9dcb4f12832d2572b2bfc6fc8d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
70b763e50fe8578ff36820dc77534138

SHA1
4fc4ef3c07a9274aaca022c8f27501130dacbdde

SHA256
cefa8be95b45f6ecf626bb00a227a6175b4b7943604447568735eca00b4d4517

SHA512
e41d3fce1a9bfd7f39388ca1a00adc704df9604cf535d6104767c8b67d51866d00dec3baa32cbb2122782b8814ed827a29b00847c0324448c4a1555c9b5094cc

Download Submit
memory/456-520-0x0000000100000000-0x0000000100163000-memory.dmp

Filesize
1.4MB

Download
memory/456-389-0x0000000100000000-0x0000000100163000-memory.dmp

Filesize
1.4MB

Download
memory/472-736-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/472-744-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/668-309-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/668-224-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/668-893-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/756-19-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/756-13-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/756-12-0x0000000140000000-0x00000001401CE000-memory.dmp

Filesize
1.8MB

Download
memory/756-159-0x0000000140000000-0x00000001401CE000-memory.dmp

Filesize
1.8MB

Download
memory/836-693-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/836-669-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/848-800-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/972-465-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/972-474-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1020-824-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1372-168-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1372-200-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1372-175-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1372-199-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1372-169-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1372-274-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-834-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1400-831-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1456-648-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1460-329-0x0000000100000000-0x0000000100133000-memory.dmp

Filesize
1.2MB

Download
memory/1460-388-0x0000000100000000-0x0000000100133000-memory.dmp

Filesize
1.2MB

Download
memory/1544-418-0x0000000100000000-0x00000001001B3000-memory.dmp

Filesize
1.7MB

Download
memory/1544-345-0x0000000100000000-0x00000001001B3000-memory.dmp

Filesize
1.7MB

Download
memory/1552-724-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1556-358-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1556-436-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1676-852-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1740-85-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1740-121-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1740-80-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1740-69-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1776-156-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1776-160-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1776-150-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1784-578-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1784-613-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1852-366-0x0000000000520000-0x0000000000671000-memory.dmp

Filesize
1.3MB

Download
memory/1852-293-0x0000000000520000-0x0000000000671000-memory.dmp

Filesize
1.3MB

Download
memory/1852-282-0x0000000100000000-0x0000000100151000-memory.dmp

Filesize
1.3MB

Download
memory/1852-359-0x0000000100000000-0x0000000100151000-memory.dmp

Filesize
1.3MB

Download
memory/1868-413-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1868-600-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1900-250-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1900-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2036-372-0x000000002E000000-0x000000002E154000-memory.dmp

Filesize
1.3MB

Download
memory/2036-298-0x000000002E000000-0x000000002E154000-memory.dmp

Filesize
1.3MB

Download
memory/2056-129-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2056-136-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2056-227-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2056-140-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2072-583-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2096-205-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2096-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2096-284-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2172-357-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2172-277-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2172-412-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2224-382-0x0000000001000000-0x0000000001134000-memory.dmp

Filesize
1.2MB

Download
memory/2224-310-0x0000000001000000-0x0000000001134000-memory.dmp

Filesize
1.2MB

Download
memory/2248-755-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2248-770-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2292-416-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2292-407-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2316-673-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2324-464-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2324-381-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2372-438-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2372-706-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2380-23-0x0000000001300000-0x0000000001340000-memory.dmp

Filesize
256KB

Download
memory/2444-849-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2444-860-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2488-872-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2524-908-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2524-889-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2548-258-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/2548-355-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/2556-723-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2556-728-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2568-158-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-0-0x000007FEF648E000-0x000007FEF648F000-memory.dmp

Filesize
4KB

Download
memory/2568-11-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-896-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2672-187-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2672-181-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2672-657-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2672-189-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2672-280-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2792-468-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2824-747-0x0000000003CB0000-0x0000000003D6A000-memory.dmp

Filesize
744KB

Download
memory/2824-759-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2836-795-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2836-813-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2848-26-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2848-33-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2848-32-0x0000000100000000-0x0000000100142000-memory.dmp

Filesize
1.3MB

Download
memory/2848-180-0x0000000100000000-0x0000000100142000-memory.dmp

Filesize
1.3MB

Download
memory/2896-46-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/2896-203-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/2920-617-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2940-710-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2940-682-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2992-343-0x0000000100000000-0x0000000100134000-memory.dmp

Filesize
1.2MB

Download
memory/3016-143-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/3016-98-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/3040-342-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3040-236-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download