d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
Size

1.8MB
MD5

80416b3845566bc5e9f6a46af2bdac5c
SHA1

71c184124d65c36cc413c93342b997bcaa8a0cc8
SHA256

d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828
SHA512

f1cf7aba47e1f7a1d31b15f5cdedd340117c355b3272916e831ff7857302ac539b3a2562f27d23282e4d08c3352a3e734dadb03f91dc377b3f36bc0f25d6fc10
SSDEEP

49152:Xx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WASk61QT8y+Ttb0tP2:XvbjVkjjCAzJrDA83mt+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 56 IoCs

pid	Process
468	Process not Found
2760	alg.exe
2828	aspnet_state.exe
2124	mscorsvw.exe
1700	mscorsvw.exe
1600	mscorsvw.exe
1676	mscorsvw.exe
876	elevation_service.exe
540	GROOVE.EXE
2380	maintenanceservice.exe
1120	mscorsvw.exe
2752	OSE.EXE
2736	OSPPSVC.EXE
2556	mscorsvw.exe
1128	mscorsvw.exe
1648	mscorsvw.exe
1368	mscorsvw.exe
2696	mscorsvw.exe
2672	mscorsvw.exe
3016	mscorsvw.exe
1424	mscorsvw.exe
2580	mscorsvw.exe
1740	mscorsvw.exe
2908	mscorsvw.exe
2156	mscorsvw.exe
2876	mscorsvw.exe
1688	mscorsvw.exe
2744	mscorsvw.exe
1084	mscorsvw.exe
2500	mscorsvw.exe
2076	mscorsvw.exe
1172	mscorsvw.exe
2812	mscorsvw.exe
668	mscorsvw.exe
2096	mscorsvw.exe
2300	mscorsvw.exe
772	mscorsvw.exe
2520	dllhost.exe
916	ehRecvr.exe
2940	ehsched.exe
2560	IEEtwCollector.exe
1544	mscorsvw.exe
2288	msdtc.exe
544	msiexec.exe
1512	perfhost.exe
1248	mscorsvw.exe
2952	locator.exe
2200	mscorsvw.exe
1060	snmptrap.exe
2588	vds.exe
1580	vssvc.exe
2912	wbengine.exe
2392	WmiApSrv.exe
1712	mscorsvw.exe
1264	wmpnetwk.exe
1948	SearchIndexer.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
544	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
744	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da80a2489c8e5786.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_fi.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_hu.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\psuser_64.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\GoogleCrashHandler64.exe	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_ca.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_sr.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_hi.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_ko.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdate.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_hr.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_de.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_sv.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_bn.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_zh-CN.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_el.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4615.tmp\goopdateres_en.dll	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B76AAE6A-73CF-4544-BA5E-E43CB69A4B06}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B76AAE6A-73CF-4544-BA5E-E43CB69A4B06}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{E217F9C9-AB7D-466D-869A-B353C2878263}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{E217F9C9-AB7D-466D-869A-B353C2878263}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1584	ehRec.exe
2828	aspnet_state.exe
2828	aspnet_state.exe
2828	aspnet_state.exe
2828	aspnet_state.exe
2828	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2584	d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeDebugPrivilege	2760	alg.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2828	aspnet_state.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: 33	884	EhTray.exe
Token: SeIncBasePriorityPrivilege	884	EhTray.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeSecurityPrivilege	544	msiexec.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeDebugPrivilege	1584	ehRec.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeBackupPrivilege	1580	vssvc.exe
Token: SeRestorePrivilege	1580	vssvc.exe
Token: SeAuditPrivilege	1580	vssvc.exe
Token: SeBackupPrivilege	2912	wbengine.exe
Token: SeRestorePrivilege	2912	wbengine.exe
Token: SeSecurityPrivilege	2912	wbengine.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: 33	884	EhTray.exe
Token: SeIncBasePriorityPrivilege	884	EhTray.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeDebugPrivilege	2828	aspnet_state.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: 33	1264	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1264	wmpnetwk.exe
Token: SeManageVolumePrivilege	1948	SearchIndexer.exe
Token: 33	1948	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1948	SearchIndexer.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe
Token: SeShutdownPrivilege	1676	mscorsvw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1660	SearchProtocolHost.exe
1660	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1120	1676	mscorsvw.exe	37
PID 1676 wrote to memory of 1120	1676	mscorsvw.exe	37
PID 1676 wrote to memory of 1120	1676	mscorsvw.exe	37
PID 1676 wrote to memory of 2556	1676	mscorsvw.exe	40
PID 1676 wrote to memory of 2556	1676	mscorsvw.exe	40
PID 1676 wrote to memory of 2556	1676	mscorsvw.exe	40
PID 1600 wrote to memory of 1128	1600	mscorsvw.exe	41
PID 1600 wrote to memory of 1128	1600	mscorsvw.exe	41
PID 1600 wrote to memory of 1128	1600	mscorsvw.exe	41
PID 1600 wrote to memory of 1128	1600	mscorsvw.exe	41
PID 1600 wrote to memory of 1648	1600	mscorsvw.exe	44
PID 1600 wrote to memory of 1648	1600	mscorsvw.exe	44
PID 1600 wrote to memory of 1648	1600	mscorsvw.exe	44
PID 1600 wrote to memory of 1648	1600	mscorsvw.exe	44
PID 1600 wrote to memory of 1368	1600	mscorsvw.exe	45
PID 1600 wrote to memory of 1368	1600	mscorsvw.exe	45
PID 1600 wrote to memory of 1368	1600	mscorsvw.exe	45
PID 1600 wrote to memory of 1368	1600	mscorsvw.exe	45
PID 1600 wrote to memory of 2696	1600	mscorsvw.exe	46
PID 1600 wrote to memory of 2696	1600	mscorsvw.exe	46
PID 1600 wrote to memory of 2696	1600	mscorsvw.exe	46
PID 1600 wrote to memory of 2696	1600	mscorsvw.exe	46
PID 1600 wrote to memory of 2672	1600	mscorsvw.exe	47
PID 1600 wrote to memory of 2672	1600	mscorsvw.exe	47
PID 1600 wrote to memory of 2672	1600	mscorsvw.exe	47
PID 1600 wrote to memory of 2672	1600	mscorsvw.exe	47
PID 1600 wrote to memory of 3016	1600	mscorsvw.exe	48
PID 1600 wrote to memory of 3016	1600	mscorsvw.exe	48
PID 1600 wrote to memory of 3016	1600	mscorsvw.exe	48
PID 1600 wrote to memory of 3016	1600	mscorsvw.exe	48
PID 1600 wrote to memory of 1424	1600	mscorsvw.exe	49
PID 1600 wrote to memory of 1424	1600	mscorsvw.exe	49
PID 1600 wrote to memory of 1424	1600	mscorsvw.exe	49
PID 1600 wrote to memory of 1424	1600	mscorsvw.exe	49
PID 1600 wrote to memory of 2580	1600	mscorsvw.exe	50
PID 1600 wrote to memory of 2580	1600	mscorsvw.exe	50
PID 1600 wrote to memory of 2580	1600	mscorsvw.exe	50
PID 1600 wrote to memory of 2580	1600	mscorsvw.exe	50
PID 1600 wrote to memory of 1740	1600	mscorsvw.exe	51
PID 1600 wrote to memory of 1740	1600	mscorsvw.exe	51
PID 1600 wrote to memory of 1740	1600	mscorsvw.exe	51
PID 1600 wrote to memory of 1740	1600	mscorsvw.exe	51
PID 1600 wrote to memory of 2908	1600	mscorsvw.exe	52
PID 1600 wrote to memory of 2908	1600	mscorsvw.exe	52
PID 1600 wrote to memory of 2908	1600	mscorsvw.exe	52
PID 1600 wrote to memory of 2908	1600	mscorsvw.exe	52
PID 1600 wrote to memory of 2156	1600	mscorsvw.exe	53
PID 1600 wrote to memory of 2156	1600	mscorsvw.exe	53
PID 1600 wrote to memory of 2156	1600	mscorsvw.exe	53
PID 1600 wrote to memory of 2156	1600	mscorsvw.exe	53
PID 1600 wrote to memory of 2876	1600	mscorsvw.exe	54
PID 1600 wrote to memory of 2876	1600	mscorsvw.exe	54
PID 1600 wrote to memory of 2876	1600	mscorsvw.exe	54
PID 1600 wrote to memory of 2876	1600	mscorsvw.exe	54
PID 1600 wrote to memory of 1688	1600	mscorsvw.exe	55
PID 1600 wrote to memory of 1688	1600	mscorsvw.exe	55
PID 1600 wrote to memory of 1688	1600	mscorsvw.exe	55
PID 1600 wrote to memory of 1688	1600	mscorsvw.exe	55
PID 1600 wrote to memory of 2744	1600	mscorsvw.exe	56
PID 1600 wrote to memory of 2744	1600	mscorsvw.exe	56
PID 1600 wrote to memory of 2744	1600	mscorsvw.exe	56
PID 1600 wrote to memory of 2744	1600	mscorsvw.exe	56
PID 1600 wrote to memory of 1084	1600	mscorsvw.exe	57
PID 1600 wrote to memory of 1084	1600	mscorsvw.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe
"C:\Users\Admin\AppData\Local\Temp\d88299a89e28245ee9e2041338b815edc68f2d379c42b000d98fff6a868a7828.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2124

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 248 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 1d8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 1d8 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 27c -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 28c -NGENProcess 294 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 248 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 248 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 248 -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d8 -NGENProcess 2a0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2b0 -NGENProcess 1d8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 23c -NGENProcess 224 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 240 -NGENProcess 1bc -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1c4 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:876

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2380

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2752

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2736

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2520

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:916

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2288

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3425689832-2386927309-2650718742-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3425689832-2386927309-2650718742-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1660
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
6272663c1a7653e5f5a6aec242a137d0

SHA1
0f5d86cd888ee5fed0cd79942be80114fd0b952c

SHA256
16d69d4a55830639ff04b9db7d217d850b37a2a9b0bf0c29bf0508fd6b80b32b

SHA512
a12bdbbffc12baab1bd87cb4af526fb0d8a6568cb43ff23421a631902db6375f4757bbd6a2c3446dc555972a1b5e11f73049bfdd41a0106cddc73721d6acd104

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e2a156e463fc29749b214af558670504

SHA1
cbaff5944d7e5cbe7876f784f20b290aea5a0e34

SHA256
6024a938f940d22de91bea8e7606d1df1b66a6802ef3139617edfed9520a8c3b

SHA512
48dde7b9495d4176d64fe38e77fdb7910d240fc2d47bb1fd31b2bab03894dff5b8b7d0ee6a0f6c58840af2cda3c2b9e0506f9acb74638f53fc494ccf00f64f7c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
67b6d15417dfab0e742199e6d8afcdbe

SHA1
a2389185fa79641efc059f04a0212b17986af613

SHA256
d4368a88f0647a514b7959492405015ee6428fd2e111407d552fc0924ccc6664

SHA512
c83c984b6e53f725de841c5ae5fa15dfa30a8a87a87244f07d99fbc517d2a4a5159990dd6188ee0a81ae53c55f3ea3309e40eac746694bffada0356cbaf3cb9c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
67b6d15417dfab0e742199e6d8afcdbe

SHA1
a2389185fa79641efc059f04a0212b17986af613

SHA256
d4368a88f0647a514b7959492405015ee6428fd2e111407d552fc0924ccc6664

SHA512
c83c984b6e53f725de841c5ae5fa15dfa30a8a87a87244f07d99fbc517d2a4a5159990dd6188ee0a81ae53c55f3ea3309e40eac746694bffada0356cbaf3cb9c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
0a09341a27b100d5ac6e55a6473128ef

SHA1
8895c03e517607ff9375cd688bbb0b79201c7449

SHA256
d93f1c848e675cb15fc212cd1466ae86898897078417c9da79fde3fe612301b8

SHA512
b4a550432c98b2b6721c3eb181bca7bd300cfc00b961cebef4d1f3f84ab26b6b116191985813dcb9d6bc38f13614518adc3ba52fed4b2108ca3473e1c28411bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fae61851896a309eac8dc60e9cda5b8f

SHA1
d6a94f14333585c71f1c8a112aeff814044c37db

SHA256
176138eb6228f6e23f25682d281f931b77984262f8f07d897056113305f5ef82

SHA512
4461def8bf005f23b2847ac754a73dd7a99af299d315d082c407e844e4f76a9dfad704956c1b36e7a85c37b676ab9bc92e24105e7d7ca9cdc257ee487bda5fd6

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e287c6a78097236228e7c7bf1c126917

SHA1
4646ea95b4383c61e4f53833976f30be8502dbfa

SHA256
12b50e27230031e40ba27cb602d67f1e8b5023a2679654b5937a1d95e5416973

SHA512
f5de435bcb5f814ed0f9a994d49a10a3028da147b654e307bad81aeaba7efadb1518015bfe18a5985427847bc2fc1e384264e97b221655d012e1d2448133adb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
005b9a4851ce7423742c1973e7d3fb07

SHA1
9dfb4a49be10f8ac56bc9e0344a177731aa5d697

SHA256
b4ef73a1bcd390b305daf0d11f3a6f46ba504c0ebc4d378833f1ba2cf2d7634b

SHA512
ada3882128e065e16e6861def985c87740414a340a9c22959cda5b5bf686c7e3bf019a1526f0a8224db5f88c91ba04722b4f04d7f00d1c6cf66f525225814a2d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
005b9a4851ce7423742c1973e7d3fb07

SHA1
9dfb4a49be10f8ac56bc9e0344a177731aa5d697

SHA256
b4ef73a1bcd390b305daf0d11f3a6f46ba504c0ebc4d378833f1ba2cf2d7634b

SHA512
ada3882128e065e16e6861def985c87740414a340a9c22959cda5b5bf686c7e3bf019a1526f0a8224db5f88c91ba04722b4f04d7f00d1c6cf66f525225814a2d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e39338ac4dae2f858f7f41ac8997bae4

SHA1
79081b11aee84b8dbc2a49dd4772b51bd75e4944

SHA256
8b65f5bcb558cee8557b74cf810f68626464c81e5396f8a86b09b1e335e4b7c4

SHA512
89d5ba1964a115922fe4c1f057b1e0cef3c593baf5221776a1eb8e3161954d8ff930db0634b1f9c1db9355c67b1a0ab928572137c9d052ca004339809758ca2b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
54066f3b3179f51baca5fe3d416346f7

SHA1
7aedfa6647f17b7886e2cd8458f58dddbeec2cd0

SHA256
11e24670520459881025d5d87ae8cb4ba730bd5a4fbeb8ba768feddc7ad7374f

SHA512
05a93cf400ea0624663956d714e7045fd982f5c27f6653fa60ae55b8848dd3244dfd59163270c2d94a013f5020cae933d8f000f053949e5d688ae435cbeabf84

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
93719c2eb651919a26d6ef7bac686f56

SHA1
3f9f2fc74a2a420e03f6fafd5caf70474488e817

SHA256
838a76a67536446a2317ffe995d90aead5b9831a6db9bf6c3e504d0f2ff44901

SHA512
0aed1c4c11db54f91252ff93d669632a0c2cd1b9c1875fe71fd73731ad4ff3afa2440081e737d62614da4ddbab2eb835d95d13c4047e6fcc815335ff105aa1ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
93719c2eb651919a26d6ef7bac686f56

SHA1
3f9f2fc74a2a420e03f6fafd5caf70474488e817

SHA256
838a76a67536446a2317ffe995d90aead5b9831a6db9bf6c3e504d0f2ff44901

SHA512
0aed1c4c11db54f91252ff93d669632a0c2cd1b9c1875fe71fd73731ad4ff3afa2440081e737d62614da4ddbab2eb835d95d13c4047e6fcc815335ff105aa1ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
93719c2eb651919a26d6ef7bac686f56

SHA1
3f9f2fc74a2a420e03f6fafd5caf70474488e817

SHA256
838a76a67536446a2317ffe995d90aead5b9831a6db9bf6c3e504d0f2ff44901

SHA512
0aed1c4c11db54f91252ff93d669632a0c2cd1b9c1875fe71fd73731ad4ff3afa2440081e737d62614da4ddbab2eb835d95d13c4047e6fcc815335ff105aa1ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
93719c2eb651919a26d6ef7bac686f56

SHA1
3f9f2fc74a2a420e03f6fafd5caf70474488e817

SHA256
838a76a67536446a2317ffe995d90aead5b9831a6db9bf6c3e504d0f2ff44901

SHA512
0aed1c4c11db54f91252ff93d669632a0c2cd1b9c1875fe71fd73731ad4ff3afa2440081e737d62614da4ddbab2eb835d95d13c4047e6fcc815335ff105aa1ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
93719c2eb651919a26d6ef7bac686f56

SHA1
3f9f2fc74a2a420e03f6fafd5caf70474488e817

SHA256
838a76a67536446a2317ffe995d90aead5b9831a6db9bf6c3e504d0f2ff44901

SHA512
0aed1c4c11db54f91252ff93d669632a0c2cd1b9c1875fe71fd73731ad4ff3afa2440081e737d62614da4ddbab2eb835d95d13c4047e6fcc815335ff105aa1ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
93719c2eb651919a26d6ef7bac686f56

SHA1
3f9f2fc74a2a420e03f6fafd5caf70474488e817

SHA256
838a76a67536446a2317ffe995d90aead5b9831a6db9bf6c3e504d0f2ff44901

SHA512
0aed1c4c11db54f91252ff93d669632a0c2cd1b9c1875fe71fd73731ad4ff3afa2440081e737d62614da4ddbab2eb835d95d13c4047e6fcc815335ff105aa1ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
93719c2eb651919a26d6ef7bac686f56

SHA1
3f9f2fc74a2a420e03f6fafd5caf70474488e817

SHA256
838a76a67536446a2317ffe995d90aead5b9831a6db9bf6c3e504d0f2ff44901

SHA512
0aed1c4c11db54f91252ff93d669632a0c2cd1b9c1875fe71fd73731ad4ff3afa2440081e737d62614da4ddbab2eb835d95d13c4047e6fcc815335ff105aa1ea

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
3f514a4ce07e9f90871fcb5a7301770c

SHA1
06b9b53a2d742f63d7834669565ffc4bcc4cc65a

SHA256
58756765a7f1f5f2b57e6489d6f81a703ba1cd7996810b5a16b032a88459eeb6

SHA512
af926bc59a176b0121170524b323a7cc466d83ce70d1a6299db1620f360d9c440537b4d415842d548d867b6f998cea895ac16b816ebb650111c54d2fed2aa4d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
3f514a4ce07e9f90871fcb5a7301770c

SHA1
06b9b53a2d742f63d7834669565ffc4bcc4cc65a

SHA256
58756765a7f1f5f2b57e6489d6f81a703ba1cd7996810b5a16b032a88459eeb6

SHA512
af926bc59a176b0121170524b323a7cc466d83ce70d1a6299db1620f360d9c440537b4d415842d548d867b6f998cea895ac16b816ebb650111c54d2fed2aa4d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
d190d223301dc63174b66941d443fab1

SHA1
8b406033b278067ee8e65f62d686e12bd8e13c80

SHA256
e039a4e9575ea83fde8c5bb968475545168ea4fc86785d510f16e466445b1001

SHA512
88c4e5e33b037c924dfa1572fc77527bd9378aaf051111f4d8cedc2d1d7183fd7f84532b0f7f43e46f8f3a38cae488672682c8108e212251809637421a50746b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6a548e27224afb2d54a826bb5044104

SHA1
d5dbeda1e062be5ec0ae3eb2c1de8b69de443040

SHA256
23eec7cbbe16f138d53db2e72104e0e29d8cdb2c3ff3debfe6af1f39d46a38d1

SHA512
03157cc645fd4ecfd3f6cae185e1e50fba97c66eb6404d149349781a9c8d4925d5d186f52f625d25e3507d72d4e80e91a5a8c28e5f28f5cfa124ac9749b071ca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
397346b1611630aafccd3f4fd7543895

SHA1
1cbaff03ebebdc3e17f9e92f2f40c564114caeb2

SHA256
8e2838c65f41196af0a2e5821a5fd51f8313bc9c733d4fbb66410fd3fad8f0ea

SHA512
716c9237af677adaa30475fc210dee73d1944024439ec3a6bb461cc8a2a185adc4807d890a9fc8e8d69b014c9f0f0d7deaa7778fbf5070747b8d8905753639c2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
d897b07d3e74ee256c025e12afe7ac54

SHA1
e1de3dc01c30d0fb5ea74b56c9e1826c3daeaf16

SHA256
48dc8fcfd9b430462a88c84c7419290c555da19f2aab1f6ce886d313579d4324

SHA512
2991a8cbb0156b492cf07926ce27b931a43ea228b5efebdb79d7429ada1df041f88a698fea7b0c4a8f2b7b9f37a0a45e5399b66b9b1e1a5250226605d2b43bf8

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
57a1e3c219f7870c9cc1f3f9d1bd30b7

SHA1
7addc144098fa7a56a0bbebe4a1331f3008dbe61

SHA256
9776791142005dda44bc433b24882616f5b6f58ee29da2217aa34e47f3a41047

SHA512
bbf3cd9d17a908e3daf5560be528c302f83923db43e8995497bf0067114eac49ce76a786a991bc50d6ce79463b040f44a44051786be076f135e5c5a83bf81a33

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
2d42ae9ba5e01d55a5c93322d6058c98

SHA1
36ba6d2d0a5d41465ed6812c7cd020877cd95546

SHA256
e08e4306641f05ef29415b8bf5816c0ff288dea9c1d102dbcb902a429266004b

SHA512
f16e7ca389b9a4f518d7ec20d8ee26f2bac6095813f4590038fd1077e5380dae8910f8bf727238ff96a4ff0de244220ed22f29ee0a0a40c50c73272ca1b6f121

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
aa6fa63eb819de0054a074888bb19385

SHA1
c1255a79c9c54b67bb307d0ba48dbef818d0d351

SHA256
3908cf4e92a15ea2f574b6feb129f600e21d7dd7d2c57128738c31220cdd866e

SHA512
1e1cf023acc5c933a6e0f32bbc35fbd36d1738441816d00b5167be48283f0bf7070f0c5283cdee1261e292cf3e312d5e59153238ed4d0435e074bca2415c6d27

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
cfb4905fafdba55fdd2621e401611f9e

SHA1
0b0f7ed81a9f596950eb6dfa5fefc1f61a89cd94

SHA256
bfd7479456481d2051e22cc767a64e025f7cff22dabb4d058e19738e2745b2e9

SHA512
eee4e04b739ab0f9f16efcb096ce734a1183a86d534aaa86e894118fd7cf71432207dd5b9ca7e0fa252cdc5e31cf3552b8ac455ec9d588ea9ee9fe5d78f448ee

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
691KB

MD5
810b726ed21bfb59b72c010503892322

SHA1
5036d6e178b7911fbece295c00d8bc4bb4d91b5d

SHA256
dbb9a314b178d1352c8fb9615653ff9f8d8fa8a800ab7a30e5b56ade233146a8

SHA512
2be9c0341dcdc1c9ebe7278ff3fbdca5408525e7c7dc64c28e3ebb87ce4ac798616684848a2a5419526d05bfdcfc904d581a3559cba94c0a0092a82a1e401730

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
dec14065d692c23d8d1127c4bf5b2e4b

SHA1
e82f63cc752d3ec13523cda62d1b6700d4afd699

SHA256
b127a445656ec0196296eece953521c814b1c328923eee24ffa2d4f426e9bd46

SHA512
28fadd286eee577e5a4079b8d3131c3f493ee778e0adf00ecc6d57d33da5d35824c4929d52a7951253c6bf57cf7f1238b637173a7db6d763ecc80f14b1835b02

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
8f9ba24d572c5ceb30d8c0352437fa64

SHA1
2c5485b79bce2262b3b8659d50d3451eed520bc4

SHA256
ebdbe6b9735c806ce767ee658af4a7cdfc464664c50aeed9f0893f89dd677de3

SHA512
ae929ea039e70c89144fb59f705b6ba03d64838d80a6467ae071d70a1ce49e845ecb182b23edb22d71f869355eb0d96ede20954ec13e85e7883eebec69496b33

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
810b726ed21bfb59b72c010503892322

SHA1
5036d6e178b7911fbece295c00d8bc4bb4d91b5d

SHA256
dbb9a314b178d1352c8fb9615653ff9f8d8fa8a800ab7a30e5b56ade233146a8

SHA512
2be9c0341dcdc1c9ebe7278ff3fbdca5408525e7c7dc64c28e3ebb87ce4ac798616684848a2a5419526d05bfdcfc904d581a3559cba94c0a0092a82a1e401730

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
005b9a4851ce7423742c1973e7d3fb07

SHA1
9dfb4a49be10f8ac56bc9e0344a177731aa5d697

SHA256
b4ef73a1bcd390b305daf0d11f3a6f46ba504c0ebc4d378833f1ba2cf2d7634b

SHA512
ada3882128e065e16e6861def985c87740414a340a9c22959cda5b5bf686c7e3bf019a1526f0a8224db5f88c91ba04722b4f04d7f00d1c6cf66f525225814a2d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
54066f3b3179f51baca5fe3d416346f7

SHA1
7aedfa6647f17b7886e2cd8458f58dddbeec2cd0

SHA256
11e24670520459881025d5d87ae8cb4ba730bd5a4fbeb8ba768feddc7ad7374f

SHA512
05a93cf400ea0624663956d714e7045fd982f5c27f6653fa60ae55b8848dd3244dfd59163270c2d94a013f5020cae933d8f000f053949e5d688ae435cbeabf84

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
d897b07d3e74ee256c025e12afe7ac54

SHA1
e1de3dc01c30d0fb5ea74b56c9e1826c3daeaf16

SHA256
48dc8fcfd9b430462a88c84c7419290c555da19f2aab1f6ce886d313579d4324

SHA512
2991a8cbb0156b492cf07926ce27b931a43ea228b5efebdb79d7429ada1df041f88a698fea7b0c4a8f2b7b9f37a0a45e5399b66b9b1e1a5250226605d2b43bf8

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
57a1e3c219f7870c9cc1f3f9d1bd30b7

SHA1
7addc144098fa7a56a0bbebe4a1331f3008dbe61

SHA256
9776791142005dda44bc433b24882616f5b6f58ee29da2217aa34e47f3a41047

SHA512
bbf3cd9d17a908e3daf5560be528c302f83923db43e8995497bf0067114eac49ce76a786a991bc50d6ce79463b040f44a44051786be076f135e5c5a83bf81a33

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
2d42ae9ba5e01d55a5c93322d6058c98

SHA1
36ba6d2d0a5d41465ed6812c7cd020877cd95546

SHA256
e08e4306641f05ef29415b8bf5816c0ff288dea9c1d102dbcb902a429266004b

SHA512
f16e7ca389b9a4f518d7ec20d8ee26f2bac6095813f4590038fd1077e5380dae8910f8bf727238ff96a4ff0de244220ed22f29ee0a0a40c50c73272ca1b6f121

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
aa6fa63eb819de0054a074888bb19385

SHA1
c1255a79c9c54b67bb307d0ba48dbef818d0d351

SHA256
3908cf4e92a15ea2f574b6feb129f600e21d7dd7d2c57128738c31220cdd866e

SHA512
1e1cf023acc5c933a6e0f32bbc35fbd36d1738441816d00b5167be48283f0bf7070f0c5283cdee1261e292cf3e312d5e59153238ed4d0435e074bca2415c6d27

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
cfb4905fafdba55fdd2621e401611f9e

SHA1
0b0f7ed81a9f596950eb6dfa5fefc1f61a89cd94

SHA256
bfd7479456481d2051e22cc767a64e025f7cff22dabb4d058e19738e2745b2e9

SHA512
eee4e04b739ab0f9f16efcb096ce734a1183a86d534aaa86e894118fd7cf71432207dd5b9ca7e0fa252cdc5e31cf3552b8ac455ec9d588ea9ee9fe5d78f448ee

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
810b726ed21bfb59b72c010503892322

SHA1
5036d6e178b7911fbece295c00d8bc4bb4d91b5d

SHA256
dbb9a314b178d1352c8fb9615653ff9f8d8fa8a800ab7a30e5b56ade233146a8

SHA512
2be9c0341dcdc1c9ebe7278ff3fbdca5408525e7c7dc64c28e3ebb87ce4ac798616684848a2a5419526d05bfdcfc904d581a3559cba94c0a0092a82a1e401730

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
810b726ed21bfb59b72c010503892322

SHA1
5036d6e178b7911fbece295c00d8bc4bb4d91b5d

SHA256
dbb9a314b178d1352c8fb9615653ff9f8d8fa8a800ab7a30e5b56ade233146a8

SHA512
2be9c0341dcdc1c9ebe7278ff3fbdca5408525e7c7dc64c28e3ebb87ce4ac798616684848a2a5419526d05bfdcfc904d581a3559cba94c0a0092a82a1e401730

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
dec14065d692c23d8d1127c4bf5b2e4b

SHA1
e82f63cc752d3ec13523cda62d1b6700d4afd699

SHA256
b127a445656ec0196296eece953521c814b1c328923eee24ffa2d4f426e9bd46

SHA512
28fadd286eee577e5a4079b8d3131c3f493ee778e0adf00ecc6d57d33da5d35824c4929d52a7951253c6bf57cf7f1238b637173a7db6d763ecc80f14b1835b02

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
8f9ba24d572c5ceb30d8c0352437fa64

SHA1
2c5485b79bce2262b3b8659d50d3451eed520bc4

SHA256
ebdbe6b9735c806ce767ee658af4a7cdfc464664c50aeed9f0893f89dd677de3

SHA512
ae929ea039e70c89144fb59f705b6ba03d64838d80a6467ae071d70a1ce49e845ecb182b23edb22d71f869355eb0d96ede20954ec13e85e7883eebec69496b33

Download Submit
memory/540-355-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/540-272-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/540-267-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/876-302-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/876-261-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/876-255-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/876-253-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1120-339-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1120-294-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1120-341-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1120-338-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1128-467-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1128-486-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1128-447-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1128-449-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1128-440-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1368-503-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1368-544-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1368-543-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1368-512-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1368-508-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1600-141-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1600-282-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1600-140-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/1600-221-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/1648-499-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1648-459-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1648-510-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1648-511-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1648-463-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1676-231-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1676-296-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1676-230-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/1676-237-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/1700-120-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1700-121-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1700-128-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1700-250-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2124-112-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2124-249-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2124-105-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2124-106-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2380-313-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2380-314-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2380-299-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2380-279-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2556-428-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-348-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2556-347-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2556-429-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2556-430-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2556-351-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-215-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2584-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2584-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2584-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2584-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2584-139-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2696-550-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2696-541-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2736-345-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2736-353-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2736-356-0x0000000074438000-0x000000007444D000-memory.dmp

Filesize
84KB

Download
memory/2736-457-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2736-487-0x0000000074438000-0x000000007444D000-memory.dmp

Filesize
84KB

Download
memory/2736-352-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2752-350-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2752-354-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2760-66-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2760-41-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2760-40-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2760-229-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2828-101-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2828-95-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2828-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2828-252-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download