be9344bf0883a5f75e8a32e47c4d300d3db60a29995d9b49f2f0aa953b341600

Analysis

max time kernel
136s
max time network
154s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc2c38b145abe3exeexeexeex.exe
Size

2.6MB
MD5

dc2c38b145abe32f3faa7f6206911413
SHA1

2e0d237c7742fd9159712cc3473d74c41215c617
SHA256

be9344bf0883a5f75e8a32e47c4d300d3db60a29995d9b49f2f0aa953b341600
SHA512

153988ecca2c7b2894a88d2d673acddad7cadf67317d57346b87336dd2ca2ce36fa8aa1e9a32fee717574903a070f9dfbc5ea73b64e164c64ad4f0f6bbcac448
SSDEEP

49152:IKYNu9FsGsL5tj1XUNgASK4CTfVf1WZ62sHzMb8uY0sZPUFo2+4rhTHZ9tHFjT1B:lmgzHwb8uYiF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 57 IoCs

pid	Process
468	Process not Found
1500	alg.exe
520	aspnet_state.exe
3064	mscorsvw.exe
1436	mscorsvw.exe
2696	mscorsvw.exe
2772	elevation_service.exe
2768	GROOVE.EXE
2540	maintenanceservice.exe
2784	OSE.EXE
1816	OSPPSVC.EXE
1624	mscorsvw.exe
2416	mscorsvw.exe
1612	mscorsvw.exe
1012	mscorsvw.exe
2752	mscorsvw.exe
2548	mscorsvw.exe
904	mscorsvw.exe
1296	mscorsvw.exe
2108	mscorsvw.exe
2304	mscorsvw.exe
1716	mscorsvw.exe
2448	mscorsvw.exe
2008	mscorsvw.exe
1712	mscorsvw.exe
2216	mscorsvw.exe
2228	mscorsvw.exe
2664	mscorsvw.exe
2808	mscorsvw.exe
2740	mscorsvw.exe
1720	mscorsvw.exe
1804	mscorsvw.exe
2436	mscorsvw.exe
2016	mscorsvw.exe
1988	mscorsvw.exe
2328	mscorsvw.exe
320	mscorsvw.exe
1664	ehRecvr.exe
2660	ehsched.exe
2820	IEEtwCollector.exe
2484	msdtc.exe
2852	msiexec.exe
2208	perfhost.exe
2896	locator.exe
2164	snmptrap.exe
2064	vds.exe
2352	vssvc.exe
2448	wbengine.exe
2564	WmiApSrv.exe
2692	wmpnetwk.exe
2476	SearchIndexer.exe
2708	mscorsvw.exe
2952	mscorsvw.exe
2556	mscorsvw.exe
1760	mscorsvw.exe
2524	mscorsvw.exe
1204	mscorsvw.exe

Loads dropped DLL 17 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2852	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found
2524	mscorsvw.exe
2524	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	dc2c38b145abe3exeexeexeex.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c11ca8722c1cb494.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1037.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	dc2c38b145abe3exeexeexeex.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	dc2c38b145abe3exeexeexeex.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{1CD285E3-2B2F-43A6-A0B7-B48555FB13D4}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{1CD285E3-2B2F-43A6-A0B7-B48555FB13D4}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2816	ehRec.exe
520	aspnet_state.exe
520	aspnet_state.exe
520	aspnet_state.exe
520	aspnet_state.exe
520	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2096	dc2c38b145abe3exeexeexeex.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeDebugPrivilege	1500	alg.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	520	aspnet_state.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: 33	2804	EhTray.exe
Token: SeIncBasePriorityPrivilege	2804	EhTray.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeSecurityPrivilege	2852	msiexec.exe
Token: SeDebugPrivilege	2816	ehRec.exe
Token: SeBackupPrivilege	2352	vssvc.exe
Token: SeRestorePrivilege	2352	vssvc.exe
Token: SeAuditPrivilege	2352	vssvc.exe
Token: SeBackupPrivilege	2448	wbengine.exe
Token: SeRestorePrivilege	2448	wbengine.exe
Token: SeSecurityPrivilege	2448	wbengine.exe
Token: SeDebugPrivilege	520	aspnet_state.exe
Token: 33	2692	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2692	wmpnetwk.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: 33	2804	EhTray.exe
Token: SeIncBasePriorityPrivilege	2804	EhTray.exe
Token: SeManageVolumePrivilege	2476	SearchIndexer.exe
Token: 33	2476	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2476	SearchIndexer.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe
Token: SeShutdownPrivilege	1436	mscorsvw.exe
Token: SeShutdownPrivilege	2696	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2804	EhTray.exe
2804	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2804	EhTray.exe
2804	EhTray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1580	SearchProtocolHost.exe
1580	SearchProtocolHost.exe
1580	SearchProtocolHost.exe
1580	SearchProtocolHost.exe
1580	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1624	1436	mscorsvw.exe	39
PID 1436 wrote to memory of 1624	1436	mscorsvw.exe	39
PID 1436 wrote to memory of 1624	1436	mscorsvw.exe	39
PID 1436 wrote to memory of 1624	1436	mscorsvw.exe	39
PID 1436 wrote to memory of 2416	1436	mscorsvw.exe	40
PID 1436 wrote to memory of 2416	1436	mscorsvw.exe	40
PID 1436 wrote to memory of 2416	1436	mscorsvw.exe	40
PID 1436 wrote to memory of 2416	1436	mscorsvw.exe	40
PID 1436 wrote to memory of 1612	1436	mscorsvw.exe	41
PID 1436 wrote to memory of 1612	1436	mscorsvw.exe	41
PID 1436 wrote to memory of 1612	1436	mscorsvw.exe	41
PID 1436 wrote to memory of 1612	1436	mscorsvw.exe	41
PID 1436 wrote to memory of 1012	1436	mscorsvw.exe	42
PID 1436 wrote to memory of 1012	1436	mscorsvw.exe	42
PID 1436 wrote to memory of 1012	1436	mscorsvw.exe	42
PID 1436 wrote to memory of 1012	1436	mscorsvw.exe	42
PID 1436 wrote to memory of 2752	1436	mscorsvw.exe	43
PID 1436 wrote to memory of 2752	1436	mscorsvw.exe	43
PID 1436 wrote to memory of 2752	1436	mscorsvw.exe	43
PID 1436 wrote to memory of 2752	1436	mscorsvw.exe	43
PID 1436 wrote to memory of 2548	1436	mscorsvw.exe	44
PID 1436 wrote to memory of 2548	1436	mscorsvw.exe	44
PID 1436 wrote to memory of 2548	1436	mscorsvw.exe	44
PID 1436 wrote to memory of 2548	1436	mscorsvw.exe	44
PID 1436 wrote to memory of 904	1436	mscorsvw.exe	45
PID 1436 wrote to memory of 904	1436	mscorsvw.exe	45
PID 1436 wrote to memory of 904	1436	mscorsvw.exe	45
PID 1436 wrote to memory of 904	1436	mscorsvw.exe	45
PID 1436 wrote to memory of 1296	1436	mscorsvw.exe	46
PID 1436 wrote to memory of 1296	1436	mscorsvw.exe	46
PID 1436 wrote to memory of 1296	1436	mscorsvw.exe	46
PID 1436 wrote to memory of 1296	1436	mscorsvw.exe	46
PID 1436 wrote to memory of 2108	1436	mscorsvw.exe	47
PID 1436 wrote to memory of 2108	1436	mscorsvw.exe	47
PID 1436 wrote to memory of 2108	1436	mscorsvw.exe	47
PID 1436 wrote to memory of 2108	1436	mscorsvw.exe	47
PID 1436 wrote to memory of 2304	1436	mscorsvw.exe	48
PID 1436 wrote to memory of 2304	1436	mscorsvw.exe	48
PID 1436 wrote to memory of 2304	1436	mscorsvw.exe	48
PID 1436 wrote to memory of 2304	1436	mscorsvw.exe	48
PID 1436 wrote to memory of 1716	1436	mscorsvw.exe	49
PID 1436 wrote to memory of 1716	1436	mscorsvw.exe	49
PID 1436 wrote to memory of 1716	1436	mscorsvw.exe	49
PID 1436 wrote to memory of 1716	1436	mscorsvw.exe	49
PID 1436 wrote to memory of 2448	1436	mscorsvw.exe	50
PID 1436 wrote to memory of 2448	1436	mscorsvw.exe	50
PID 1436 wrote to memory of 2448	1436	mscorsvw.exe	50
PID 1436 wrote to memory of 2448	1436	mscorsvw.exe	50
PID 1436 wrote to memory of 2008	1436	mscorsvw.exe	51
PID 1436 wrote to memory of 2008	1436	mscorsvw.exe	51
PID 1436 wrote to memory of 2008	1436	mscorsvw.exe	51
PID 1436 wrote to memory of 2008	1436	mscorsvw.exe	51
PID 1436 wrote to memory of 1712	1436	mscorsvw.exe	52
PID 1436 wrote to memory of 1712	1436	mscorsvw.exe	52
PID 1436 wrote to memory of 1712	1436	mscorsvw.exe	52
PID 1436 wrote to memory of 1712	1436	mscorsvw.exe	52
PID 1436 wrote to memory of 2216	1436	mscorsvw.exe	53
PID 1436 wrote to memory of 2216	1436	mscorsvw.exe	53
PID 1436 wrote to memory of 2216	1436	mscorsvw.exe	53
PID 1436 wrote to memory of 2216	1436	mscorsvw.exe	53
PID 1436 wrote to memory of 2228	1436	mscorsvw.exe	54
PID 1436 wrote to memory of 2228	1436	mscorsvw.exe	54
PID 1436 wrote to memory of 2228	1436	mscorsvw.exe	54
PID 1436 wrote to memory of 2228	1436	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dc2c38b145abe3exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\dc2c38b145abe3exeexeexeex.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d8 -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 260 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d8 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 280 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 268 -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 268 -NGENProcess 29c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 2a8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1d4 -NGENProcess 29c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 218 -NGENProcess 284 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a4 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 258 -NGENProcess 1e8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 2a4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 2a4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 274 -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2540

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1816

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:320

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1664

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2484

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2476
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-719110999-4061093145-1944564496-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-719110999-4061093145-1944564496-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1056
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
eaf283e3eee1ab848976cf163a9821d4

SHA1
d97f52dd0fa09f2a07b20eef9539d9b1c677dc64

SHA256
0fca5dde4a90df2d330aa58566ed1f5385de8ea9349e000ea0d15d9b50e040c8

SHA512
ab9366fc711a4ab92733d17f606dc59fc53dc2ae2f17dfbb1efcd3033ef3873f359f2c9ccc6eec66837465f12ae99088f8430fcecc667b1ec145b288bdd1d63a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6c7e4a2514439a97638173f4d6058f67

SHA1
79a115836a0ddf92269267eca1f7cebc267a986b

SHA256
4746f23e2f713207fbf299fcf06b4424f1d6fcb712bdb971e5b0a3880e5a1f50

SHA512
d210d5de23f91c410e33302f9e0eadcc8da5a2965163b618d8d5022d545fa5f1835cd6525ea659d22a1037e5fc8a709e11592b58fe67868bc434d2dce46c3d6f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
edfdbcbdf1488fee2d9c523ccd60500a

SHA1
001d5159d3bb7fd8c03c52ab9ce5e5e100ea93ed

SHA256
64923800c6c1ef3bed814f535014116705a3c0aa272271482f64bc3ca6e50390

SHA512
069812e68b5c63b921d296e68924e9cc3ec3f01255f71398d1355e4c0e392e5acb4a693ce995d0cc409dc5b7e5c3bf8f50e28399995c0a4bc8756d2500d4ab4d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
edfdbcbdf1488fee2d9c523ccd60500a

SHA1
001d5159d3bb7fd8c03c52ab9ce5e5e100ea93ed

SHA256
64923800c6c1ef3bed814f535014116705a3c0aa272271482f64bc3ca6e50390

SHA512
069812e68b5c63b921d296e68924e9cc3ec3f01255f71398d1355e4c0e392e5acb4a693ce995d0cc409dc5b7e5c3bf8f50e28399995c0a4bc8756d2500d4ab4d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
eea24d4e408d48b7cbc0ce491516edff

SHA1
dbe5ae847e2de532065ff6a570a4bb9c315dad18

SHA256
2caab9fa2387aa53861fe723f4cf923c9fb87b7f94c2129fef1a3bfdf2de9be1

SHA512
a4965e1e969912c615b0bcf9cf973436a1523508e5401051f4cba5ed03f31c3b5e3fd3cbbf941c07efcbffbb23f0588fddabb54226ebc40b433801f3867a41e2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ba4da3f11a159bd5d0578a04c7ce0e59

SHA1
fe15f1d07bcf1338b31d4fb27c92ee8f0a5712f1

SHA256
df158a507f74d8d9b3600e54d2a99858d6447cfab4426c1be95f9b3364d0d8e9

SHA512
fb29758e1f46b8cb84df2f27c4fa950d4ed435026fdfc1af0904575b93bfa17d38f2fd4ef2c735a4ebd0fa06322df2ef67f69696021d77f0d84443571d4d0e5e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
1fa82be8c904ddd49300d7fe0f84dce8

SHA1
22a13815690dc26e6f95f76b52ee56f97db32077

SHA256
2e69def89fdfd0f073b10441e92cff7b1b1b4a20c2335076e55d825aa638e955

SHA512
9b3ea40c0bcc64480faeb62d63b4a68c45f4091e887bb8fa91dafc7da28dae612df99916fc213a421e054c19452b1b7f6468233574fead35ee751752161cddb7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
ff176eec70dcb7774f2ff44168450ef9

SHA1
c998223a6c9196650e3bd04e484dcbb20465e47b

SHA256
2c2c735c99bfe3b7ee717e0f73afabfb3c433df69dfc1403131043af8e4a77ef

SHA512
db468ee04f6ca137961e96a06a046ada12ae461829ef4a04b3804c82c2237407b6a5a1aa424b1ca3a6796ac48a90617012f7104d8f7a2847a211a039dd29ee0d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
ff176eec70dcb7774f2ff44168450ef9

SHA1
c998223a6c9196650e3bd04e484dcbb20465e47b

SHA256
2c2c735c99bfe3b7ee717e0f73afabfb3c433df69dfc1403131043af8e4a77ef

SHA512
db468ee04f6ca137961e96a06a046ada12ae461829ef4a04b3804c82c2237407b6a5a1aa424b1ca3a6796ac48a90617012f7104d8f7a2847a211a039dd29ee0d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
5672c724204ba211c6b40f808a32da3b

SHA1
3e4dfda2ed7c8304abad07fcc81a9016ae3cb46c

SHA256
5c180179c28afb370f1aa957f31906a62bbb807cf88471f613107fa8270addbc

SHA512
fd8aab2a2ba47e0793528a3f9242eed712742918a8ec585ef8a938bd3fe2bf990797e84aad358222296aa5654a9da7f8cc2cc2496bb15ee79acc7f3e24c0f7e7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
35d7ca268f8a2f74057de8428a47893e

SHA1
e8790eff5208e935c4688a644c1a33a12b9467b2

SHA256
70f14eaf6239bf30d6acd4f6948bb9049a9cc6f456a4edb2fa254d0924c71d3f

SHA512
5970a6b820ddc672479767140762d3944ad4f5ecafddebc1834edb8f16b512ebb68e827a6b40df4e8d952c4c2bf2487bd754405683b8acd56de5346318883756

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
620b37de0f55e89ae1784b2a1160699d

SHA1
f4cc5ab45cd276a451c15cfc898fa24bfa30b139

SHA256
76a7f0842abb31f06a45a0373fd2e1d0ca82c8f1252f142c2642c167ccab2dc8

SHA512
5d46482b02719ace36850c72fe57ec1387d39a97a885372b3a8496bfbb5bf5435d579fd2d8ad72bcf47f203b1de0dcc9d51906bbb5b4a48945bba7e790cbbcfc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
620b37de0f55e89ae1784b2a1160699d

SHA1
f4cc5ab45cd276a451c15cfc898fa24bfa30b139

SHA256
76a7f0842abb31f06a45a0373fd2e1d0ca82c8f1252f142c2642c167ccab2dc8

SHA512
5d46482b02719ace36850c72fe57ec1387d39a97a885372b3a8496bfbb5bf5435d579fd2d8ad72bcf47f203b1de0dcc9d51906bbb5b4a48945bba7e790cbbcfc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
620b37de0f55e89ae1784b2a1160699d

SHA1
f4cc5ab45cd276a451c15cfc898fa24bfa30b139

SHA256
76a7f0842abb31f06a45a0373fd2e1d0ca82c8f1252f142c2642c167ccab2dc8

SHA512
5d46482b02719ace36850c72fe57ec1387d39a97a885372b3a8496bfbb5bf5435d579fd2d8ad72bcf47f203b1de0dcc9d51906bbb5b4a48945bba7e790cbbcfc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
620b37de0f55e89ae1784b2a1160699d

SHA1
f4cc5ab45cd276a451c15cfc898fa24bfa30b139

SHA256
76a7f0842abb31f06a45a0373fd2e1d0ca82c8f1252f142c2642c167ccab2dc8

SHA512
5d46482b02719ace36850c72fe57ec1387d39a97a885372b3a8496bfbb5bf5435d579fd2d8ad72bcf47f203b1de0dcc9d51906bbb5b4a48945bba7e790cbbcfc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
c6347dea85326b5262cffa64cdc93cb4

SHA1
d67834d8e37c7a008893ed8d94b6fe65870dab00

SHA256
3ff2a71ca26b264300c169ecbdaf0aaa7a3161d2cffbf53a4c705a182c085021

SHA512
e710e5b10cd3514259714da0619ceb2535e8bc19e534c9a33390827e9470f266ef783cfb3dbd19869574add1ea39ebc206bacf1884a47d1ec23f57a300b8d34d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
c6347dea85326b5262cffa64cdc93cb4

SHA1
d67834d8e37c7a008893ed8d94b6fe65870dab00

SHA256
3ff2a71ca26b264300c169ecbdaf0aaa7a3161d2cffbf53a4c705a182c085021

SHA512
e710e5b10cd3514259714da0619ceb2535e8bc19e534c9a33390827e9470f266ef783cfb3dbd19869574add1ea39ebc206bacf1884a47d1ec23f57a300b8d34d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
6a9ef9c5f55d5e770f37147a2a9f2fab

SHA1
32e455626182d2dfd1d0c9df9610cd5173665357

SHA256
a941d7a50116422b32fa16c3b7778f741a591c7048bec8955586f6324221dafa

SHA512
8a66c8c4f217a7805b404a345577af4925ce26cdd0e0daf1110e6ff839f246838822a08811255014bd2b15954e34ac7574466b82362464344d2cd661a37539f3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
cb8902a737f5c6bc4e4b2292a7ab541e

SHA1
a0bf42b11845af4d8de67f33171d90998beeee7f

SHA256
7c7fddd6372ce344514bc127230d8f9daad05ed308f1d3deece8c6e3ee232f28

SHA512
1de33f4611e51763c01bfbdfd3fe85953fe4be8fc2728b3578d55ea7f5d849b523cac46a2c0fb288d7cf16d2adbc7ca79d0a06d5b6886a3368370cf9f6835d02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
97692a2e3b365bcfd3c1c1d303b5e73f

SHA1
e5e93cd7fe3a90602bbd531fb5e0f88d42a4f9da

SHA256
320fb0dfa9df92554111a7305679abdbf1e24f73555b006039fb51f19693de72

SHA512
9a0ebf5a3ae067902bc5793a4a79beaf1f49baf23ef5bee6acd8d943edee0884247cffef12192ebc616a170566dad0026e72425aa01b7f42c5f87c0e03b29416

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
f72aa8c35b3bba1c448a0ff0107f06fe

SHA1
f8b58b42cb541e8b8ed4b0ec7821ca72787c833e

SHA256
ce78fdc065bc4398aee36d95b148856ab38cd247d3bc67d861dd3c1e8adc7d4b

SHA512
a38ceb0c4cf8c588f72d23c59b0fccfd94de65bc9ac0b0fd6b10e77981eee5b823c6fe5d5d942ad54933d435f6274bd486a76915d5495c42be2f91851aa4facc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
8f6d6731aac3e527598e1b5f491cf272

SHA1
941a401eafd9e3ab66162f49c0be12d4a5728ab2

SHA256
337a5fc5f7a15859220c7a11cea75afc5e65758b3f9d589f4e18d7f83212efe1

SHA512
f1ca8a76221f0d825eeeceddc56bb22022f7323525a0c6f3de170fffc9b24eda1189cf4b5c7dbfb6156866835f6f8802e5175dedb1380dd7626ac2b75eb272c0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
856b526b739ce641886207edc406beff

SHA1
5ed89309a5b923709973801d91c3dcfe5b88862c

SHA256
ccb3b14f26a9dcc0871ec50326bcbd1189f3b8f96b6d14574a2bb4a795150b9a

SHA512
adf5b414636edfd3f53684751486eff1b1cea2d8657849b8c43410ea36c8fea1ce719dc42770d438f72087ae4c48f603b2321736c4166d7c730d98ce70c3eb42

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
df288bc2a9eed4519c56425ec095986f

SHA1
0431a2f957b40a767e353c273d413d000aea41b5

SHA256
33c4a6695f2e2d6f033d8cf7319621de6bfee1ac694f79d2027a68fd4e0b6797

SHA512
0f34bacd7132172c4d1a4febb3c143dcaa42bee9fbd85bfe19110ce1ecfdd7d03f82536cd9beeccab6f07975f95b71ca84b1b6e640d593769b67a81fe15d3c3e

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
9bf39ed53353bdb6a1d69902c9554839

SHA1
00cd1cce90151eb1248c88ce2b500d7b3218057f

SHA256
8f79e1bb1d83e302037376666c5e1e7d4f3866238a10fcdb3484ac81148cec80

SHA512
508dc147a606a85115dc6cb915429d5a5769be102f88ab24f4f4a79e2c658ecfe993cfb53e35b64777b8fb075ce3f3e42f7d2817f752c8d9369b18cb7a54254a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
d65fb2db119c3a66c19512e9e1a86ce6

SHA1
0633c0096bf97100a1bd3f6d6d0f839a06a5d165

SHA256
803c7aa4aad31af6c9b935d7b067fe9975cd3ecc41f8a244a312738b0459e7ed

SHA512
658900c9c19edfe699a137faa19a749cbd928ea0a492d8839ca065f8e8f4501b4f94a6c838bc4364e90657b1d3e9adf5703ef65c8e6e7e57f66375c00f123763

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
691KB

MD5
2a5570bc29b965ba09e4621e357e0f77

SHA1
697bc32459e415b7244eaa537c2d2e3899e687b3

SHA256
cdcd5647a316875d4fe258baac5a86e222945bce8e6b02da0ecb5d288ddcb490

SHA512
6c7aabfd42cdbee9f5bbd54278f1b07f5211f78aeb485aadebcbd0cd5c0f9856fbabfbfdd8a3e9ce61624fd16788701e600b9b4f6674e7ac5ee91037efa16213

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
5819c486cb92206622dc15f5e04517b4

SHA1
3d394fbd466e9fd4082bb54ba8b06177e941b96a

SHA256
2914ec141faae826b2cdd6305e16879487af6182365d8ff1ed0576481b6dc94d

SHA512
af93b5c90bb2bcf936f680c552bd73a2c95d5475053c75d6b5845d5d95dedd4a6c9ea0567550d39c9630b68e2f1a464da35d3b4c869a06f97643458980a33241

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
3bf4415f2e84ad50e00b89020c51d61a

SHA1
99770c322593c4ecf8a394df2b9cfec5ce502002

SHA256
b8795844f8a160177aca6e653c38db5dd61115b89521e2c323f2f439a818bbd6

SHA512
6997746adc829489895870f09e15d6e3c260e92e4e51814d63c23fcaf4f61dccc6d58371bff47e092017a3c6ce407406be120d2ccdda51f9a7dd7f408bdb234e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
58ce0ba6e261e78b30c5155ad439ec6b

SHA1
59890095be2c84b935220c7c16a4bac701af3971

SHA256
6e7c86b261504377295a63b1fc7ee49f91f7e22c7b83b51cb90aab4a16497dca

SHA512
729e6eedaaeab8af0612110ceacc40c44b62d79d36c4206979c0dcf3a323dda4a5412440e64a54c083f04bb2e0ddbda161a08b90aeb450050e2c77789d150a96

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
07a921fdbc8f8e062ef9b6a0414bc9c5

SHA1
5ac6a1b1c05b6b58d4d580b0c6d91da536f6455f

SHA256
19f644d46850439ed296ff0c8ab2f19a2858175073fe61923fbb49f9223f770a

SHA512
785bdc4fc21f24eb775e4c9ed9374f4c6a1cd5a272513168ec7f18bfc42b8317dc643ca19a3d517a5db52ea17be98f33c4c8161bff9f8dfef2afcf5f4998ea79

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
2a5570bc29b965ba09e4621e357e0f77

SHA1
697bc32459e415b7244eaa537c2d2e3899e687b3

SHA256
cdcd5647a316875d4fe258baac5a86e222945bce8e6b02da0ecb5d288ddcb490

SHA512
6c7aabfd42cdbee9f5bbd54278f1b07f5211f78aeb485aadebcbd0cd5c0f9856fbabfbfdd8a3e9ce61624fd16788701e600b9b4f6674e7ac5ee91037efa16213

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
ff176eec70dcb7774f2ff44168450ef9

SHA1
c998223a6c9196650e3bd04e484dcbb20465e47b

SHA256
2c2c735c99bfe3b7ee717e0f73afabfb3c433df69dfc1403131043af8e4a77ef

SHA512
db468ee04f6ca137961e96a06a046ada12ae461829ef4a04b3804c82c2237407b6a5a1aa424b1ca3a6796ac48a90617012f7104d8f7a2847a211a039dd29ee0d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
35d7ca268f8a2f74057de8428a47893e

SHA1
e8790eff5208e935c4688a644c1a33a12b9467b2

SHA256
70f14eaf6239bf30d6acd4f6948bb9049a9cc6f456a4edb2fa254d0924c71d3f

SHA512
5970a6b820ddc672479767140762d3944ad4f5ecafddebc1834edb8f16b512ebb68e827a6b40df4e8d952c4c2bf2487bd754405683b8acd56de5346318883756

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
8f6d6731aac3e527598e1b5f491cf272

SHA1
941a401eafd9e3ab66162f49c0be12d4a5728ab2

SHA256
337a5fc5f7a15859220c7a11cea75afc5e65758b3f9d589f4e18d7f83212efe1

SHA512
f1ca8a76221f0d825eeeceddc56bb22022f7323525a0c6f3de170fffc9b24eda1189cf4b5c7dbfb6156866835f6f8802e5175dedb1380dd7626ac2b75eb272c0

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
df288bc2a9eed4519c56425ec095986f

SHA1
0431a2f957b40a767e353c273d413d000aea41b5

SHA256
33c4a6695f2e2d6f033d8cf7319621de6bfee1ac694f79d2027a68fd4e0b6797

SHA512
0f34bacd7132172c4d1a4febb3c143dcaa42bee9fbd85bfe19110ce1ecfdd7d03f82536cd9beeccab6f07975f95b71ca84b1b6e640d593769b67a81fe15d3c3e

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
9bf39ed53353bdb6a1d69902c9554839

SHA1
00cd1cce90151eb1248c88ce2b500d7b3218057f

SHA256
8f79e1bb1d83e302037376666c5e1e7d4f3866238a10fcdb3484ac81148cec80

SHA512
508dc147a606a85115dc6cb915429d5a5769be102f88ab24f4f4a79e2c658ecfe993cfb53e35b64777b8fb075ce3f3e42f7d2817f752c8d9369b18cb7a54254a

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
d65fb2db119c3a66c19512e9e1a86ce6

SHA1
0633c0096bf97100a1bd3f6d6d0f839a06a5d165

SHA256
803c7aa4aad31af6c9b935d7b067fe9975cd3ecc41f8a244a312738b0459e7ed

SHA512
658900c9c19edfe699a137faa19a749cbd928ea0a492d8839ca065f8e8f4501b4f94a6c838bc4364e90657b1d3e9adf5703ef65c8e6e7e57f66375c00f123763

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
2a5570bc29b965ba09e4621e357e0f77

SHA1
697bc32459e415b7244eaa537c2d2e3899e687b3

SHA256
cdcd5647a316875d4fe258baac5a86e222945bce8e6b02da0ecb5d288ddcb490

SHA512
6c7aabfd42cdbee9f5bbd54278f1b07f5211f78aeb485aadebcbd0cd5c0f9856fbabfbfdd8a3e9ce61624fd16788701e600b9b4f6674e7ac5ee91037efa16213

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
2a5570bc29b965ba09e4621e357e0f77

SHA1
697bc32459e415b7244eaa537c2d2e3899e687b3

SHA256
cdcd5647a316875d4fe258baac5a86e222945bce8e6b02da0ecb5d288ddcb490

SHA512
6c7aabfd42cdbee9f5bbd54278f1b07f5211f78aeb485aadebcbd0cd5c0f9856fbabfbfdd8a3e9ce61624fd16788701e600b9b4f6674e7ac5ee91037efa16213

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
5819c486cb92206622dc15f5e04517b4

SHA1
3d394fbd466e9fd4082bb54ba8b06177e941b96a

SHA256
2914ec141faae826b2cdd6305e16879487af6182365d8ff1ed0576481b6dc94d

SHA512
af93b5c90bb2bcf936f680c552bd73a2c95d5475053c75d6b5845d5d95dedd4a6c9ea0567550d39c9630b68e2f1a464da35d3b4c869a06f97643458980a33241

Download Submit
\Windows\System32\vds.exe

Filesize
1.1MB

MD5
3bf4415f2e84ad50e00b89020c51d61a

SHA1
99770c322593c4ecf8a394df2b9cfec5ce502002

SHA256
b8795844f8a160177aca6e653c38db5dd61115b89521e2c323f2f439a818bbd6

SHA512
6997746adc829489895870f09e15d6e3c260e92e4e51814d63c23fcaf4f61dccc6d58371bff47e092017a3c6ce407406be120d2ccdda51f9a7dd7f408bdb234e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
58ce0ba6e261e78b30c5155ad439ec6b

SHA1
59890095be2c84b935220c7c16a4bac701af3971

SHA256
6e7c86b261504377295a63b1fc7ee49f91f7e22c7b83b51cb90aab4a16497dca

SHA512
729e6eedaaeab8af0612110ceacc40c44b62d79d36c4206979c0dcf3a323dda4a5412440e64a54c083f04bb2e0ddbda161a08b90aeb450050e2c77789d150a96

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
07a921fdbc8f8e062ef9b6a0414bc9c5

SHA1
5ac6a1b1c05b6b58d4d580b0c6d91da536f6455f

SHA256
19f644d46850439ed296ff0c8ab2f19a2858175073fe61923fbb49f9223f770a

SHA512
785bdc4fc21f24eb775e4c9ed9374f4c6a1cd5a272513168ec7f18bfc42b8317dc643ca19a3d517a5db52ea17be98f33c4c8161bff9f8dfef2afcf5f4998ea79

Download Submit
memory/320-683-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/520-77-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/520-91-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/520-83-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/904-442-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1012-406-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1012-394-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1296-441-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1296-453-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1436-126-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1436-109-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/1436-114-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/1500-71-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1500-65-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1500-89-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1612-393-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1612-379-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1624-231-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1624-332-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1664-684-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1664-730-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/1712-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1712-512-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-486-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-597-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-586-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1804-608-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1816-194-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1816-510-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1988-646-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2008-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2016-623-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2096-107-0x0000000000400000-0x000000000069D000-memory.dmp

Filesize
2.6MB

Download
memory/2096-87-0x0000000000400000-0x000000000069D000-memory.dmp

Filesize
2.6MB

Download
memory/2096-54-0x00000000001A0000-0x0000000000207000-memory.dmp

Filesize
412KB

Download
memory/2096-59-0x00000000001A0000-0x0000000000207000-memory.dmp

Filesize
412KB

Download
memory/2108-465-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2216-536-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2216-528-0x0000000003C80000-0x0000000003D3A000-memory.dmp

Filesize
744KB

Download
memory/2228-551-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2228-534-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2304-469-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2304-480-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2328-649-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2416-325-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2416-343-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2436-609-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2436-620-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2448-503-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2448-484-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2484-735-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2540-175-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2548-429-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2548-413-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2660-698-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2664-561-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2696-134-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2696-440-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2696-128-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2696-127-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2740-585-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2752-415-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2768-468-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2768-163-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2768-153-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2768-158-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2772-467-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2772-142-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2772-150-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2772-148-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2784-192-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2808-563-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-574-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2816-736-0x0000000000C00000-0x0000000000C80000-memory.dmp

Filesize
512KB

Download
memory/2820-733-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2852-738-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/3064-124-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3064-96-0x00000000003A0000-0x0000000000407000-memory.dmp

Filesize
412KB

Download
memory/3064-93-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3064-88-0x00000000003A0000-0x0000000000407000-memory.dmp

Filesize
412KB

Download