be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838

Analysis

max time kernel
124s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
Size

1.8MB
MD5

1290e1d8ef9ca594744c53284c58c636
SHA1

f14ff2e2a886d33fd096f531d7ad0e360bc52001
SHA256

be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838
SHA512

eceab8e8a8c32c3070327e021bb13a28a7e1f06d80ada8f647a65cd333da6af90e7d3341c7b1f46be43c2887e4afdaab126c5862eef0929391c320d75be719b0
SSDEEP

49152:CK783MoXnFv3dcj7q5LsLp3CceMuczXrbe30jaNf1TWbdz:CK78HXnl3dcj7q5KpyceMuczXPU023W

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 46 IoCs

pid	Process
468	Process not Found
2748	alg.exe
2612	aspnet_state.exe
2508	mscorsvw.exe
3004	mscorsvw.exe
2676	mscorsvw.exe
928	mscorsvw.exe
1688	dllhost.exe
1560	ehRecvr.exe
2344	ehsched.exe
1264	elevation_service.exe
2024	IEEtwCollector.exe
2116	GROOVE.EXE
2424	maintenanceservice.exe
1704	msdtc.exe
2700	msiexec.exe
1292	OSE.EXE
692	mscorsvw.exe
2476	OSPPSVC.EXE
1852	perfhost.exe
1344	locator.exe
2920	snmptrap.exe
1864	vds.exe
2964	vssvc.exe
1984	wbengine.exe
3000	WmiApSrv.exe
2544	wmpnetwk.exe
2204	mscorsvw.exe
2012	SearchIndexer.exe
2328	mscorsvw.exe
664	mscorsvw.exe
1380	mscorsvw.exe
776	mscorsvw.exe
2004	mscorsvw.exe
1684	mscorsvw.exe
1612	mscorsvw.exe
2668	mscorsvw.exe
2376	mscorsvw.exe
2128	mscorsvw.exe
764	mscorsvw.exe
1924	mscorsvw.exe
3064	mscorsvw.exe
2376	mscorsvw.exe
2092	mscorsvw.exe
2124	mscorsvw.exe
1700	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2700	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
752	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9b2984dc30a3ea8.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\vssvc.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\System32\vds.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\wbengine.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\System32\alg.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\locator.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EA2C7285-8C4B-414A-BAD5-09DAEB82FC15}\chrome_installer.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8609EB13-86B4-461F-BBD7-28CD01DF4BC0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8609EB13-86B4-461F-BBD7-28CD01DF4BC0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{D8FA00E0-D73B-4D0E-B0E0-4D83AA3F3A7E}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{D8FA00E0-D73B-4D0E-B0E0-4D83AA3F3A7E}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
980	ehRec.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: 33	3064	EhTray.exe
Token: SeIncBasePriorityPrivilege	3064	EhTray.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: SeShutdownPrivilege	928	mscorsvw.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeSecurityPrivilege	2700	msiexec.exe
Token: SeDebugPrivilege	980	ehRec.exe
Token: SeBackupPrivilege	2964	vssvc.exe
Token: SeRestorePrivilege	2964	vssvc.exe
Token: SeAuditPrivilege	2964	vssvc.exe
Token: SeBackupPrivilege	1984	wbengine.exe
Token: SeRestorePrivilege	1984	wbengine.exe
Token: SeSecurityPrivilege	1984	wbengine.exe
Token: 33	3064	EhTray.exe
Token: SeIncBasePriorityPrivilege	3064	EhTray.exe
Token: SeManageVolumePrivilege	2012	SearchIndexer.exe
Token: 33	2012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2012	SearchIndexer.exe
Token: 33	2544	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2544	wmpnetwk.exe
Token: SeDebugPrivilege	2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
Token: SeDebugPrivilege	2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
Token: SeDebugPrivilege	2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
Token: SeDebugPrivilege	2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
Token: SeDebugPrivilege	2888	be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
Token: SeDebugPrivilege	2748	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3064	EhTray.exe
3064	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3064	EhTray.exe
3064	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1580	SearchProtocolHost.exe
1580	SearchProtocolHost.exe
1580	SearchProtocolHost.exe
1580	SearchProtocolHost.exe
1580	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 692	2676	mscorsvw.exe	46
PID 2676 wrote to memory of 692	2676	mscorsvw.exe	46
PID 2676 wrote to memory of 692	2676	mscorsvw.exe	46
PID 2676 wrote to memory of 692	2676	mscorsvw.exe	46
PID 2676 wrote to memory of 2204	2676	mscorsvw.exe	57
PID 2676 wrote to memory of 2204	2676	mscorsvw.exe	57
PID 2676 wrote to memory of 2204	2676	mscorsvw.exe	57
PID 2676 wrote to memory of 2204	2676	mscorsvw.exe	57
PID 2676 wrote to memory of 2328	2676	mscorsvw.exe	60
PID 2676 wrote to memory of 2328	2676	mscorsvw.exe	60
PID 2676 wrote to memory of 2328	2676	mscorsvw.exe	60
PID 2676 wrote to memory of 2328	2676	mscorsvw.exe	60
PID 2676 wrote to memory of 664	2676	mscorsvw.exe	61
PID 2676 wrote to memory of 664	2676	mscorsvw.exe	61
PID 2676 wrote to memory of 664	2676	mscorsvw.exe	61
PID 2676 wrote to memory of 664	2676	mscorsvw.exe	61
PID 2676 wrote to memory of 1380	2676	mscorsvw.exe	62
PID 2676 wrote to memory of 1380	2676	mscorsvw.exe	62
PID 2676 wrote to memory of 1380	2676	mscorsvw.exe	62
PID 2676 wrote to memory of 1380	2676	mscorsvw.exe	62
PID 2676 wrote to memory of 776	2676	mscorsvw.exe	63
PID 2676 wrote to memory of 776	2676	mscorsvw.exe	63
PID 2676 wrote to memory of 776	2676	mscorsvw.exe	63
PID 2676 wrote to memory of 776	2676	mscorsvw.exe	63
PID 2012 wrote to memory of 1580	2012	SearchIndexer.exe	64
PID 2012 wrote to memory of 1580	2012	SearchIndexer.exe	64
PID 2012 wrote to memory of 1580	2012	SearchIndexer.exe	64
PID 2012 wrote to memory of 1868	2012	SearchIndexer.exe	65
PID 2012 wrote to memory of 1868	2012	SearchIndexer.exe	65
PID 2012 wrote to memory of 1868	2012	SearchIndexer.exe	65
PID 2676 wrote to memory of 2004	2676	mscorsvw.exe	66
PID 2676 wrote to memory of 2004	2676	mscorsvw.exe	66
PID 2676 wrote to memory of 2004	2676	mscorsvw.exe	66
PID 2676 wrote to memory of 2004	2676	mscorsvw.exe	66
PID 2676 wrote to memory of 1684	2676	mscorsvw.exe	67
PID 2676 wrote to memory of 1684	2676	mscorsvw.exe	67
PID 2676 wrote to memory of 1684	2676	mscorsvw.exe	67
PID 2676 wrote to memory of 1684	2676	mscorsvw.exe	67
PID 2676 wrote to memory of 1612	2676	mscorsvw.exe	68
PID 2676 wrote to memory of 1612	2676	mscorsvw.exe	68
PID 2676 wrote to memory of 1612	2676	mscorsvw.exe	68
PID 2676 wrote to memory of 1612	2676	mscorsvw.exe	68
PID 2676 wrote to memory of 2668	2676	mscorsvw.exe	69
PID 2676 wrote to memory of 2668	2676	mscorsvw.exe	69
PID 2676 wrote to memory of 2668	2676	mscorsvw.exe	69
PID 2676 wrote to memory of 2668	2676	mscorsvw.exe	69
PID 2012 wrote to memory of 856	2012	SearchIndexer.exe	70
PID 2012 wrote to memory of 856	2012	SearchIndexer.exe	70
PID 2012 wrote to memory of 856	2012	SearchIndexer.exe	70
PID 2676 wrote to memory of 2376	2676	mscorsvw.exe	71
PID 2676 wrote to memory of 2376	2676	mscorsvw.exe	71
PID 2676 wrote to memory of 2376	2676	mscorsvw.exe	71
PID 2676 wrote to memory of 2376	2676	mscorsvw.exe	71
PID 2676 wrote to memory of 2128	2676	mscorsvw.exe	72
PID 2676 wrote to memory of 2128	2676	mscorsvw.exe	72
PID 2676 wrote to memory of 2128	2676	mscorsvw.exe	72
PID 2676 wrote to memory of 2128	2676	mscorsvw.exe	72
PID 2676 wrote to memory of 764	2676	mscorsvw.exe	73
PID 2676 wrote to memory of 764	2676	mscorsvw.exe	73
PID 2676 wrote to memory of 764	2676	mscorsvw.exe	73
PID 2676 wrote to memory of 764	2676	mscorsvw.exe	73
PID 2676 wrote to memory of 1924	2676	mscorsvw.exe	74
PID 2676 wrote to memory of 1924	2676	mscorsvw.exe	74
PID 2676 wrote to memory of 1924	2676	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Local\Temp\be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe
"C:\Users\Admin\AppData\Local\Temp\be7add79713edc4a97f61acce624e47d947e21d51420960e95c9617a7b582838.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 27c -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 1ac -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 290 -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 290 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1688

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1560

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2024

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1292

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2476

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-86725733-3001458681-3405935542-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-86725733-3001458681-3405935542-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1868
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
4036c1d51b0c4fbbfe892c5da38fc28b

SHA1
d17cf1eb503ef7b5089c6aab68798759905fe882

SHA256
ef1a0e966e9d2e40a451fc16d70aa0e2bf90157cbcd555f1574f4ff46cba5839

SHA512
e8670815c1c958bcd9c3204dae6265e4e144cfb9bd8cfae5fcc0ff8fd967546be6eaa001a220168e7eab9e16ff95491374fe3def032fdd3bb5dcb9ade70cd2ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
f8ea6bf493f0daaa6dc548d990ffa25c

SHA1
e930bf61d7183721b6f472b93a0dd778b37713b1

SHA256
f048283c6e0b29b17daeda9597c2c78e4028add329dd71c91857e345df56323c

SHA512
2b2368c599cdedc0269883020ce8ff321a7da465bbe444f7fe9ef8e58a3ed3911622cf24323e6c007ba0919ab222d69b91eba7163239c002153dd104d312c4c1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
ff3ae4981fb113b1f9e217f3b013bc26

SHA1
9bd5fd3167c9517cbbcd8e5e8634e9f5763f9058

SHA256
28ab5968f5663dfdb8d484be6924d78d33372fc93e32d334aeaddee60cc7971b

SHA512
84cef64e6008c9c7fdc85183bd8b535a3569fa53d5a769429aead5d93d4ef6171a4e9554bf738e8434839425109a26d0198cadd3f98770e5b68ed950753b285b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
5bb9b48792576d8e7d32471c630ef4e6

SHA1
8aafad19c51e3dd15df2a81de9408a5e802166a4

SHA256
81c52f448ee900e5889cfb93015f493c504b3a94a3c4a1bb75ae54c8a6a2b21e

SHA512
e898be3ebce700180d71dcdc3b85460e300d0bf5acbfe240378d42c28593b2159c06a607597ad1e8ac5566a7e6e9348b754c18107f9cdf2966995edeab805215

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
815b2cb1aa653507f63f0db337e0e068

SHA1
e6c1962544d4fa41a78db947fc67dfaed6715877

SHA256
5ae09252e049aed4936639b1b8ef1aefafaa21bb9d288615f570fb6edd640a84

SHA512
373254e7ffdf3559eb54fbbf1f9cfe38aaba3961d6b98e7f3cc280d74f267df1966df03da0e23ce7f4a84f3e9509492c319437377e294d66abe167e1ff3bfe92

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
2d43a7c7fe1bac33d1b38d7f64dfade6

SHA1
a024a1029b0ffc0530d5af99c538a3a5181f161f

SHA256
cacc03732e1861f0ad3ee13ee3dc697ac4ba49bfcf39cce39a9c498f031da742

SHA512
16ec46f77ae538fd751585bb8fc27df06100805e061db46b4f06a415add93381ef3a17ac8cbb48f03d991169f4079f0edd446b8011060cc58cd901eda8b1d61b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
12c996941beb748468b2674cfd764d2e

SHA1
c8a54cca8eade95a28eec3aa8e07dd20b3f8f265

SHA256
f339fea675a9113986dd3988ff1b1b3a8d5dace88fc463606e88dc71484c604e

SHA512
d132f2f49c7eb4f5805bcc29e359ba7926f1c478e99aec08c37208f5faee5e25ce182f3c18c7c1c850ededac43bccfb1938f2b5866b1f1ecf0a0f4514ff1e929

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
60ec234e924a4fd3e6c84e70beea995f

SHA1
b6ebce087853b4836304c61534454c5ea67d9a40

SHA256
3a518a71200950bbe6f3a831ed717d97136107bf8d73f56d974e565108ccb6ef

SHA512
b3e23aeaa3f3e7571c664104e1df22e6378285be0a567a4968c52d26898168a2aaff839c132a84c4182a3e1c027610fa45c91b4e7fa8cd1224a5d341f740b481

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
60ec234e924a4fd3e6c84e70beea995f

SHA1
b6ebce087853b4836304c61534454c5ea67d9a40

SHA256
3a518a71200950bbe6f3a831ed717d97136107bf8d73f56d974e565108ccb6ef

SHA512
b3e23aeaa3f3e7571c664104e1df22e6378285be0a567a4968c52d26898168a2aaff839c132a84c4182a3e1c027610fa45c91b4e7fa8cd1224a5d341f740b481

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a5321a0b3d9b497195d03f41290ed32a

SHA1
99aebc1afc951ce05d7ae426b868b80211a9e994

SHA256
d4c10e9a6183f02749d0ad53adcefd459243c44e443cbb971921f601b1c8030c

SHA512
22d244477996616f0ce1fde939b9b5fbfd899c3cbadd885d1d352e30da51f09bf4eaacceedfef4eaf201af53f491201e82161a6b8ff579a18679c811cd8500df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
8efae4d3297f86d3f35fab6fb9a81172

SHA1
55af7ccc790db21b006ef9ad2d36098f83d694b4

SHA256
08a62d8c5a704e662d1a9e8db041536f0e5132c8a6ac14f3bbdffcec6388c3c4

SHA512
a7f6a9d37898d8f92842568d574dbe1ff96e8b57dae98124b5aa2abb87e1fb00a4e50ec2986d195857c1c1ef66aebef2c05a34f6d45a29253aa9a4576d0d7645

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
d851f8140176678c81b42b11fc0e052b

SHA1
5e2f2e3ea6503ae46b5dc1a909485b7e4e4c3d11

SHA256
4e3662bcdafab6d9850214f762a987e30278d9085a40c35aa4139aeb754a5e24

SHA512
f5e62c5556d9e03253d5188ff5b55f7ce4fc3eacce985b44f62a75b59398a5119a05d3035c6978fdc340ca7f70cb90991b186f6951b1bdf32e6fec8c3b577124

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
d851f8140176678c81b42b11fc0e052b

SHA1
5e2f2e3ea6503ae46b5dc1a909485b7e4e4c3d11

SHA256
4e3662bcdafab6d9850214f762a987e30278d9085a40c35aa4139aeb754a5e24

SHA512
f5e62c5556d9e03253d5188ff5b55f7ce4fc3eacce985b44f62a75b59398a5119a05d3035c6978fdc340ca7f70cb90991b186f6951b1bdf32e6fec8c3b577124

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
5d8fe945b4c646fc89fb3a4143a981a0

SHA1
b485ed9c874a0a04b5e76f30542868b513f696e4

SHA256
d05bed44eec0cf34eb7b4c4edc9b782b98c9838096c5c56419c0f5e9e186b94c

SHA512
0ad83cc847003710f943c2ac24e3eabbbb4a40456c089b6fa62d0328ff930dd00f38175a7eae9b53d8e0439d31cfc2a08a7351b60fd6b84bf15b2eba968edc41

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
5d8fe945b4c646fc89fb3a4143a981a0

SHA1
b485ed9c874a0a04b5e76f30542868b513f696e4

SHA256
d05bed44eec0cf34eb7b4c4edc9b782b98c9838096c5c56419c0f5e9e186b94c

SHA512
0ad83cc847003710f943c2ac24e3eabbbb4a40456c089b6fa62d0328ff930dd00f38175a7eae9b53d8e0439d31cfc2a08a7351b60fd6b84bf15b2eba968edc41

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c007289c453abe0c172f9b01ea3f0259

SHA1
d60c0c83cb2e04d556fb28f8b1e5a5e1c5f2fc2a

SHA256
163de1f6e34362befe94ae26768a8c563dc7e68e3e70139b0e6850b84dd74dcb

SHA512
5b12a3dca53be24d3c756eb520db08a9e3c9cad13705953f6b58647b5865ab5dc34450a20df989827e7ba57ae72912bbfc2db31edfe3a93fa165edd6108691b4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
f72d2a604c4522bb8be0cab39de1162c

SHA1
ad37ef7151288cce0c97035871e98a74814d39ac

SHA256
8121a240e9dca2119238d2536b0a53c7bdaf7f1e2c15dc5e552ee2b137af250b

SHA512
7875d1e4519d89b122bc2eba3d607bebe135d7f817142ca3d2971ef59f23e2226d599849f7704bd3fd9d85bf1b46f219d959e68206fd8e22b4f3cc5c1b3e5892

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
66da322909c16069fe47b78b85801fe2

SHA1
00459ffb5f7cd99a8c516494b0c7e2e262351fe5

SHA256
4acccf95d92df5827eb9dd8ce37d53856029975f3fa089dc5c7270821dbaa51b

SHA512
c70533b180f748f325d2b42a2208ad943d34a4e0063147cd45d4989f04d34c0aab2696639952f64748230ea5779cda48161ea1795eba4a0377dd5cf1f0ef8636

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
982ce1dc359fcbbe55c59cc572c03a8e

SHA1
e68f5f50d7bd15b1ccfacb31dc7133d78fb0276d

SHA256
ea5256a7a24f3b85e8d1aac4516d187daf5f510f8fad061a3cd12e9466192761

SHA512
01821e9e4623b48a1998dda8a78968e08eebe7d5d4bf997c18cedc538d4a06cc79fd15a40f9abe79bb5df6aa079540c96b8080307905cdd49c13f9cd46ca83be

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
541e631bbf371e964e37a8670ac783b7

SHA1
840ac3604bbfe95740e6fa2bc7c6cc146af80b59

SHA256
eb5d6657d6388d68c30672663ab5798f93f80e6f0627b4058c2baae32824b622

SHA512
eb96d203aaf5da322c227c246c6b54a1375253c87424d2b0c60bc064f8fe452e67bf88837b7666d2a00bc93b9e2b4a732c2ddf8ba0e0a50c8e7f457585ca399f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
c0895a9448bdc44b384b34f7c2bfb968

SHA1
348d0bb1ac5cb7091213d0148508696b5b99d421

SHA256
46b82e675c2ff617ce00133c0bb280a5522615947e1cac25e1c10c28b205d6c4

SHA512
724f3c412e6a6165bcc774f217ae4df77eb9e04803706b897526e1f173d0419e355a33af42456f863755bbb8369d7a9150482c95c55b2326f7172cd7ae4ae0ab

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
279fd3621fe8b8a3661c97eaa524f4ab

SHA1
593faf7c3e8298b9b56e5c225f1966be203142ce

SHA256
11a26dba121fcf3ba1f2d4a2c76159d4f400f4e952eea9ce20058c56d0b75d8f

SHA512
cd52f7588d5024d59fcb1ff1a7fd473996efe6e79cc2896aa2f0e3fce9db63542ce33247afa21a8e8416ccb047a957f3eeeadeb02bea61e5eae07cbc4eb6438e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
1008c2c7b37e1567cbc4d362e343c4e7

SHA1
61870692d803edafdf3f9088fe4a873b1588013b

SHA256
9223e40f3d1d4321db8a804c3e51da7f49fbd98b93d2497efa686b019c115e57

SHA512
49597f3be2a3f7d29f69c56f1621f65009393b417116ccdbec7bfe5c6002d74c18e5eb3882b8d158447bedd58694962e7eebd1e979ca49596c0a9a2a55b7af54

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
5690e3fcad7c868b47d887af80f4fb6c

SHA1
dee06f5245fcce0804209d7cf1e7bc10fda37b62

SHA256
b99699f12f3f3b0d3de5d12fd5534265fe64faa3b5bc3e2a98233df5acbfcd43

SHA512
7963942b79175c2b896cfc270694d036273aef734cee80b1e9462c0580cdcf662b42baedd6b3446e2ce01b45e376cbe77222f19daa701e8b9389919c99b02ab8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b0cebe32c965db5967ca84243b0c8994

SHA1
1642021f790e7d881b35f4c6cbdc2ffff4324481

SHA256
c975e272a64acb70eec09e80b6347561777bea6265f02fbd93bd0f0519e742d1

SHA512
196653e18350d87bd49e9d0ba4cd0086093fdf8022bf3252635323eed16fc86a9b6841e00f527519e1be5b7cfa867074e6e13607e4ca00f031273486325b92f1

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
64f7460f2ed4a4e1ae41f6fd74341954

SHA1
42c3b2b55e6cd15e19133a1212c04afbcc15750d

SHA256
f40b09f6ec9f9a7a2ac0a6ab7786b4e3bdb87fc1ba85e8525b35907775f034a5

SHA512
f645e211e89b6ca39d884e5f0e5b69ee0d8450d8afe08369a663ef08e69eff34bc62d2875ce2be86e57a6fa33717d55b56bbec63ffc40f3a850882292c60e3fb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
60833f2c72802cdc50011febe424b787

SHA1
cfcdc03d6928e67c32be5fdb010dcc149356d43f

SHA256
d75ad6de71fae7ec1ee73c3f9d69d34c10efd199c084aa936a21771e7aef8f33

SHA512
bd9564790de27fca53743a669a8450cfcc862869e210d8f5898943386fe3f91bbee608aae8e432452f78da0b7d7572da86024febace4affd30060a4e07a846a2

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
18ce7d5fef32d191dab5d969e6c9b1d4

SHA1
cb43fae5a6a15eb0de94de30ab1ac0bf766d3929

SHA256
a1a32468dc2237b9a4c5091ebaf843e2942d48d128ebd5688e2879fa37b60aa4

SHA512
5bbecd60366064934f4e89e6f2cb360b62141d7344b35ce1b254af0a767b6c6b71579d52ed78b51f9f38c7d3c7569595f51e92a612e8609206ccb4c5b9747381

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
6dcbed8427c899921d1efd8918d03126

SHA1
8e2682f273d937844db656a09369ad0c4ac06d2d

SHA256
0405a5836bf7bbc3238ac826088102cb0139bb08ab54187459448899a4eb4253

SHA512
fb01c1b4062d11c13598151cca45bbcf6324c8bd21fae63beb8c4ed0d527960bd89f693c75073fb815894ee6e2a6fb4ebb571247eed29ea9563a27d49b447c8d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6d6429aef4ecc22d7350085a3f0a5231

SHA1
58513831240c78a84ce2a0da03f906bf5b027823

SHA256
aed3fa5dc2a8552b861cf5950ddd02b3975c435d556c6b0b475cbce5733d5837

SHA512
de8332d09f5358cc856d2e71ba6876909b6317628f4de8c75adcb24c32c9baa0bde2b029e559e2e916aca51605a9bf884ed10bea96465a522ad4cbdb0b126c2a

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fc3aeca7c80b20c646256bfe51e4763e

SHA1
fe8821839599488b4ca33a1e23e547e751f034d6

SHA256
1dfbe3f0aea8cd8d48c44f5e63f13f494e55b06cf5de0c7aebba9688b3ae5b31

SHA512
04c73cfa5308fd5c9cba848f552f07587e21f649b2de396eec4c4568e49911175a70b38f4df31c4c822b01b2dcd2ef1f8db206e1f453eaf43d21047133a17083

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
f30aa3e7676fd7ce1b644957406308b8

SHA1
43db340d110da34550e182f546fbce94771e2c5d

SHA256
4462cb3911d42a5771e86bcbd3a002a4223fc313ba32418dcd242cde75516760

SHA512
16f4dcdb7954b6be0bb4013f4301ad22ebf06df70469dae8272d45d1693504ba764c718575006eea5380dfd3bd790f656b1eff13e1cbb33a8d2f5d070dddbf97

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
64f7460f2ed4a4e1ae41f6fd74341954

SHA1
42c3b2b55e6cd15e19133a1212c04afbcc15750d

SHA256
f40b09f6ec9f9a7a2ac0a6ab7786b4e3bdb87fc1ba85e8525b35907775f034a5

SHA512
f645e211e89b6ca39d884e5f0e5b69ee0d8450d8afe08369a663ef08e69eff34bc62d2875ce2be86e57a6fa33717d55b56bbec63ffc40f3a850882292c60e3fb

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
2d43a7c7fe1bac33d1b38d7f64dfade6

SHA1
a024a1029b0ffc0530d5af99c538a3a5181f161f

SHA256
cacc03732e1861f0ad3ee13ee3dc697ac4ba49bfcf39cce39a9c498f031da742

SHA512
16ec46f77ae538fd751585bb8fc27df06100805e061db46b4f06a415add93381ef3a17ac8cbb48f03d991169f4079f0edd446b8011060cc58cd901eda8b1d61b

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
2d43a7c7fe1bac33d1b38d7f64dfade6

SHA1
a024a1029b0ffc0530d5af99c538a3a5181f161f

SHA256
cacc03732e1861f0ad3ee13ee3dc697ac4ba49bfcf39cce39a9c498f031da742

SHA512
16ec46f77ae538fd751585bb8fc27df06100805e061db46b4f06a415add93381ef3a17ac8cbb48f03d991169f4079f0edd446b8011060cc58cd901eda8b1d61b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.6MB

MD5
60ec234e924a4fd3e6c84e70beea995f

SHA1
b6ebce087853b4836304c61534454c5ea67d9a40

SHA256
3a518a71200950bbe6f3a831ed717d97136107bf8d73f56d974e565108ccb6ef

SHA512
b3e23aeaa3f3e7571c664104e1df22e6378285be0a567a4968c52d26898168a2aaff839c132a84c4182a3e1c027610fa45c91b4e7fa8cd1224a5d341f740b481

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
8efae4d3297f86d3f35fab6fb9a81172

SHA1
55af7ccc790db21b006ef9ad2d36098f83d694b4

SHA256
08a62d8c5a704e662d1a9e8db041536f0e5132c8a6ac14f3bbdffcec6388c3c4

SHA512
a7f6a9d37898d8f92842568d574dbe1ff96e8b57dae98124b5aa2abb87e1fb00a4e50ec2986d195857c1c1ef66aebef2c05a34f6d45a29253aa9a4576d0d7645

Download Submit
\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
982ce1dc359fcbbe55c59cc572c03a8e

SHA1
e68f5f50d7bd15b1ccfacb31dc7133d78fb0276d

SHA256
ea5256a7a24f3b85e8d1aac4516d187daf5f510f8fad061a3cd12e9466192761

SHA512
01821e9e4623b48a1998dda8a78968e08eebe7d5d4bf997c18cedc538d4a06cc79fd15a40f9abe79bb5df6aa079540c96b8080307905cdd49c13f9cd46ca83be

Download Submit
\Windows\System32\alg.exe

Filesize
1.6MB

MD5
279fd3621fe8b8a3661c97eaa524f4ab

SHA1
593faf7c3e8298b9b56e5c225f1966be203142ce

SHA256
11a26dba121fcf3ba1f2d4a2c76159d4f400f4e952eea9ce20058c56d0b75d8f

SHA512
cd52f7588d5024d59fcb1ff1a7fd473996efe6e79cc2896aa2f0e3fce9db63542ce33247afa21a8e8416ccb047a957f3eeeadeb02bea61e5eae07cbc4eb6438e

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
1008c2c7b37e1567cbc4d362e343c4e7

SHA1
61870692d803edafdf3f9088fe4a873b1588013b

SHA256
9223e40f3d1d4321db8a804c3e51da7f49fbd98b93d2497efa686b019c115e57

SHA512
49597f3be2a3f7d29f69c56f1621f65009393b417116ccdbec7bfe5c6002d74c18e5eb3882b8d158447bedd58694962e7eebd1e979ca49596c0a9a2a55b7af54

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
5690e3fcad7c868b47d887af80f4fb6c

SHA1
dee06f5245fcce0804209d7cf1e7bc10fda37b62

SHA256
b99699f12f3f3b0d3de5d12fd5534265fe64faa3b5bc3e2a98233df5acbfcd43

SHA512
7963942b79175c2b896cfc270694d036273aef734cee80b1e9462c0580cdcf662b42baedd6b3446e2ce01b45e376cbe77222f19daa701e8b9389919c99b02ab8

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b0cebe32c965db5967ca84243b0c8994

SHA1
1642021f790e7d881b35f4c6cbdc2ffff4324481

SHA256
c975e272a64acb70eec09e80b6347561777bea6265f02fbd93bd0f0519e742d1

SHA512
196653e18350d87bd49e9d0ba4cd0086093fdf8022bf3252635323eed16fc86a9b6841e00f527519e1be5b7cfa867074e6e13607e4ca00f031273486325b92f1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
64f7460f2ed4a4e1ae41f6fd74341954

SHA1
42c3b2b55e6cd15e19133a1212c04afbcc15750d

SHA256
f40b09f6ec9f9a7a2ac0a6ab7786b4e3bdb87fc1ba85e8525b35907775f034a5

SHA512
f645e211e89b6ca39d884e5f0e5b69ee0d8450d8afe08369a663ef08e69eff34bc62d2875ce2be86e57a6fa33717d55b56bbec63ffc40f3a850882292c60e3fb

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
64f7460f2ed4a4e1ae41f6fd74341954

SHA1
42c3b2b55e6cd15e19133a1212c04afbcc15750d

SHA256
f40b09f6ec9f9a7a2ac0a6ab7786b4e3bdb87fc1ba85e8525b35907775f034a5

SHA512
f645e211e89b6ca39d884e5f0e5b69ee0d8450d8afe08369a663ef08e69eff34bc62d2875ce2be86e57a6fa33717d55b56bbec63ffc40f3a850882292c60e3fb

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
60833f2c72802cdc50011febe424b787

SHA1
cfcdc03d6928e67c32be5fdb010dcc149356d43f

SHA256
d75ad6de71fae7ec1ee73c3f9d69d34c10efd199c084aa936a21771e7aef8f33

SHA512
bd9564790de27fca53743a669a8450cfcc862869e210d8f5898943386fe3f91bbee608aae8e432452f78da0b7d7572da86024febace4affd30060a4e07a846a2

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
6dcbed8427c899921d1efd8918d03126

SHA1
8e2682f273d937844db656a09369ad0c4ac06d2d

SHA256
0405a5836bf7bbc3238ac826088102cb0139bb08ab54187459448899a4eb4253

SHA512
fb01c1b4062d11c13598151cca45bbcf6324c8bd21fae63beb8c4ed0d527960bd89f693c75073fb815894ee6e2a6fb4ebb571247eed29ea9563a27d49b447c8d

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6d6429aef4ecc22d7350085a3f0a5231

SHA1
58513831240c78a84ce2a0da03f906bf5b027823

SHA256
aed3fa5dc2a8552b861cf5950ddd02b3975c435d556c6b0b475cbce5733d5837

SHA512
de8332d09f5358cc856d2e71ba6876909b6317628f4de8c75adcb24c32c9baa0bde2b029e559e2e916aca51605a9bf884ed10bea96465a522ad4cbdb0b126c2a

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fc3aeca7c80b20c646256bfe51e4763e

SHA1
fe8821839599488b4ca33a1e23e547e751f034d6

SHA256
1dfbe3f0aea8cd8d48c44f5e63f13f494e55b06cf5de0c7aebba9688b3ae5b31

SHA512
04c73cfa5308fd5c9cba848f552f07587e21f649b2de396eec4c4568e49911175a70b38f4df31c4c822b01b2dcd2ef1f8db206e1f453eaf43d21047133a17083

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
f30aa3e7676fd7ce1b644957406308b8

SHA1
43db340d110da34550e182f546fbce94771e2c5d

SHA256
4462cb3911d42a5771e86bcbd3a002a4223fc313ba32418dcd242cde75516760

SHA512
16f4dcdb7954b6be0bb4013f4301ad22ebf06df70469dae8272d45d1693504ba764c718575006eea5380dfd3bd790f656b1eff13e1cbb33a8d2f5d070dddbf97

Download Submit
memory/692-278-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/692-298-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/928-97-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/928-94-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/928-102-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/928-164-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/980-191-0x000007FEF3F90000-0x000007FEF492D000-memory.dmp

Filesize
9.6MB

Download
memory/980-274-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/980-271-0x000007FEF3F90000-0x000007FEF492D000-memory.dmp

Filesize
9.6MB

Download
memory/980-266-0x000007FEF3F90000-0x000007FEF492D000-memory.dmp

Filesize
9.6MB

Download
memory/980-186-0x000007FEF3F90000-0x000007FEF492D000-memory.dmp

Filesize
9.6MB

Download
memory/980-188-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1264-157-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1264-248-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1264-166-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1292-257-0x000000002E000000-0x000000002E29E000-memory.dmp

Filesize
2.6MB

Download
memory/1292-276-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1560-213-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1560-153-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1560-134-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1560-127-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1688-115-0x0000000100000000-0x000000010027E000-memory.dmp

Filesize
2.5MB

Download
memory/1688-120-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1688-200-0x0000000100000000-0x000000010027E000-memory.dmp

Filesize
2.5MB

Download
memory/1688-111-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1704-223-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1704-215-0x0000000140000000-0x000000014029F000-memory.dmp

Filesize
2.6MB

Download
memory/1704-287-0x0000000140000000-0x000000014029F000-memory.dmp

Filesize
2.6MB

Download
memory/1852-299-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1852-300-0x0000000001000000-0x000000000127F000-memory.dmp

Filesize
2.5MB

Download
memory/2024-193-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2024-206-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/2116-268-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2116-194-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2116-197-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2344-149-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2344-141-0x0000000140000000-0x000000014029B000-memory.dmp

Filesize
2.6MB

Download
memory/2344-234-0x0000000140000000-0x000000014029B000-memory.dmp

Filesize
2.6MB

Download
memory/2424-208-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/2424-228-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2424-210-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2424-227-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/2476-280-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2476-285-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2476-283-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2508-39-0x0000000010000000-0x0000000010288000-memory.dmp

Filesize
2.5MB

Download
memory/2508-44-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2508-37-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2508-88-0x0000000010000000-0x0000000010288000-memory.dmp

Filesize
2.5MB

Download
memory/2612-112-0x0000000140000000-0x0000000140286000-memory.dmp

Filesize
2.5MB

Download
memory/2612-26-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2612-25-0x0000000140000000-0x0000000140286000-memory.dmp

Filesize
2.5MB

Download
memory/2612-33-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2676-74-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2676-151-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2676-81-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2676-75-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2700-237-0x0000000100000000-0x000000010029B000-memory.dmp

Filesize
2.6MB

Download
memory/2700-241-0x00000000005B0000-0x000000000084B000-memory.dmp

Filesize
2.6MB

Download
memory/2700-244-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2700-306-0x00000000005B0000-0x000000000084B000-memory.dmp

Filesize
2.6MB

Download
memory/2700-304-0x0000000100000000-0x000000010029B000-memory.dmp

Filesize
2.6MB

Download
memory/2748-95-0x0000000100000000-0x000000010028D000-memory.dmp

Filesize
2.6MB

Download
memory/2748-19-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2748-13-0x0000000100000000-0x000000010028D000-memory.dmp

Filesize
2.6MB

Download
memory/2748-11-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2888-0-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2888-1-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2888-6-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2888-73-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/3004-89-0x0000000010000000-0x0000000010290000-memory.dmp

Filesize
2.6MB

Download
memory/3004-53-0x0000000010000000-0x0000000010290000-memory.dmp

Filesize
2.6MB

Download
memory/3004-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3004-60-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3004-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download