7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
25/11/2023, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
Size

1.8MB
MD5

56b90013c3e64f23a91e797ef45ba82d
SHA1

bb35b140026827bd0322016b7c34c15e0cd71438
SHA256

7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b
SHA512

d29f24008fba9dec59d439cb4e67c8a0d5d4004bab55538e5bff1545175de3b4e92f5f08ecde394fb676951a44228bcf468065957be63f9d933ac443e76831d9
SSDEEP

49152:EKJ0WR7AFPyyiSruXKpk3WFDL9zxnSlHwn9/7sbN6uR:EKlBAFPydSS6W6X9lnBp7sbN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2768	alg.exe
1880	aspnet_state.exe
572	mscorsvw.exe
2772	mscorsvw.exe
1664	mscorsvw.exe
2552	mscorsvw.exe
2824	ehRecvr.exe
1760	ehsched.exe
1352	elevation_service.exe
1016	IEEtwCollector.exe
2764	dllhost.exe
2644	maintenanceservice.exe
2512	OSE.EXE
2980	OSPPSVC.EXE
1716	mscorsvw.exe
552	mscorsvw.exe
392	mscorsvw.exe
460	mscorsvw.exe
2308	mscorsvw.exe
2860	mscorsvw.exe
536	mscorsvw.exe
956	mscorsvw.exe
2436	mscorsvw.exe
1344	mscorsvw.exe
1932	mscorsvw.exe
2716	mscorsvw.exe
2752	mscorsvw.exe
1064	mscorsvw.exe
1472	mscorsvw.exe
1564	mscorsvw.exe
1944	mscorsvw.exe
2224	mscorsvw.exe
2960	mscorsvw.exe
3048	mscorsvw.exe
2316	mscorsvw.exe
1200	mscorsvw.exe
2920	mscorsvw.exe
2752	mscorsvw.exe
1064	mscorsvw.exe
616	mscorsvw.exe
2352	mscorsvw.exe
2740	mscorsvw.exe
2692	mscorsvw.exe
2688	mscorsvw.exe
2864	mscorsvw.exe
2920	mscorsvw.exe
1820	mscorsvw.exe
1392	mscorsvw.exe
2656	mscorsvw.exe
1048	mscorsvw.exe
1176	mscorsvw.exe
2704	mscorsvw.exe
2528	mscorsvw.exe
2520	mscorsvw.exe
2796	mscorsvw.exe
2052	mscorsvw.exe
1064	mscorsvw.exe
1712	mscorsvw.exe
948	mscorsvw.exe
2216	mscorsvw.exe
1872	mscorsvw.exe
1756	mscorsvw.exe
1752	mscorsvw.exe

Loads dropped DLL 34 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2688	mscorsvw.exe
2688	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
1392	mscorsvw.exe
1392	mscorsvw.exe
1048	mscorsvw.exe
1048	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe
2520	mscorsvw.exe
2520	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
1712	mscorsvw.exe
1712	mscorsvw.exe
2216	mscorsvw.exe
2216	mscorsvw.exe
1756	mscorsvw.exe
1756	mscorsvw.exe
2692	mscorsvw.exe
2692	mscorsvw.exe
460	mscorsvw.exe
460	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe
1084	mscorsvw.exe
1084	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\76876d18ea1ae02.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6181.tmp\goopdateres_cs.dll	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6181.tmp\goopdateres_da.dll	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT6182.tmp	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6181.tmp\goopdateres_kn.dll	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6181.tmp\goopdateres_ar.dll	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6181.tmp\goopdateres_id.dll	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6181.tmp\GoogleUpdateCore.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6181.tmp\goopdateres_am.dll	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4328.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5496.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E1EFD30B-5876-4636-9D00-5E325A830B93}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP74A3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP361E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
924	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2028	7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: 33	2084	EhTray.exe
Token: SeIncBasePriorityPrivilege	2084	EhTray.exe
Token: SeDebugPrivilege	924	ehRec.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: 33	2084	EhTray.exe
Token: SeIncBasePriorityPrivilege	2084	EhTray.exe
Token: SeDebugPrivilege	2768	alg.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeDebugPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe
Token: SeShutdownPrivilege	2552	mscorsvw.exe
Token: SeShutdownPrivilege	1664	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2084	EhTray.exe
2084	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2084	EhTray.exe
2084	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1716	1664	mscorsvw.exe	44
PID 1664 wrote to memory of 1716	1664	mscorsvw.exe	44
PID 1664 wrote to memory of 1716	1664	mscorsvw.exe	44
PID 1664 wrote to memory of 1716	1664	mscorsvw.exe	44
PID 1664 wrote to memory of 552	1664	mscorsvw.exe	45
PID 1664 wrote to memory of 552	1664	mscorsvw.exe	45
PID 1664 wrote to memory of 552	1664	mscorsvw.exe	45
PID 1664 wrote to memory of 552	1664	mscorsvw.exe	45
PID 1664 wrote to memory of 392	1664	mscorsvw.exe	46
PID 1664 wrote to memory of 392	1664	mscorsvw.exe	46
PID 1664 wrote to memory of 392	1664	mscorsvw.exe	46
PID 1664 wrote to memory of 392	1664	mscorsvw.exe	46
PID 1664 wrote to memory of 460	1664	mscorsvw.exe	47
PID 1664 wrote to memory of 460	1664	mscorsvw.exe	47
PID 1664 wrote to memory of 460	1664	mscorsvw.exe	47
PID 1664 wrote to memory of 460	1664	mscorsvw.exe	47
PID 1664 wrote to memory of 2308	1664	mscorsvw.exe	48
PID 1664 wrote to memory of 2308	1664	mscorsvw.exe	48
PID 1664 wrote to memory of 2308	1664	mscorsvw.exe	48
PID 1664 wrote to memory of 2308	1664	mscorsvw.exe	48
PID 1664 wrote to memory of 2860	1664	mscorsvw.exe	49
PID 1664 wrote to memory of 2860	1664	mscorsvw.exe	49
PID 1664 wrote to memory of 2860	1664	mscorsvw.exe	49
PID 1664 wrote to memory of 2860	1664	mscorsvw.exe	49
PID 1664 wrote to memory of 536	1664	mscorsvw.exe	50
PID 1664 wrote to memory of 536	1664	mscorsvw.exe	50
PID 1664 wrote to memory of 536	1664	mscorsvw.exe	50
PID 1664 wrote to memory of 536	1664	mscorsvw.exe	50
PID 1664 wrote to memory of 956	1664	mscorsvw.exe	51
PID 1664 wrote to memory of 956	1664	mscorsvw.exe	51
PID 1664 wrote to memory of 956	1664	mscorsvw.exe	51
PID 1664 wrote to memory of 956	1664	mscorsvw.exe	51
PID 1664 wrote to memory of 2436	1664	mscorsvw.exe	52
PID 1664 wrote to memory of 2436	1664	mscorsvw.exe	52
PID 1664 wrote to memory of 2436	1664	mscorsvw.exe	52
PID 1664 wrote to memory of 2436	1664	mscorsvw.exe	52
PID 1664 wrote to memory of 1344	1664	mscorsvw.exe	53
PID 1664 wrote to memory of 1344	1664	mscorsvw.exe	53
PID 1664 wrote to memory of 1344	1664	mscorsvw.exe	53
PID 1664 wrote to memory of 1344	1664	mscorsvw.exe	53
PID 1664 wrote to memory of 1932	1664	mscorsvw.exe	54
PID 1664 wrote to memory of 1932	1664	mscorsvw.exe	54
PID 1664 wrote to memory of 1932	1664	mscorsvw.exe	54
PID 1664 wrote to memory of 1932	1664	mscorsvw.exe	54
PID 1664 wrote to memory of 2716	1664	mscorsvw.exe	55
PID 1664 wrote to memory of 2716	1664	mscorsvw.exe	55
PID 1664 wrote to memory of 2716	1664	mscorsvw.exe	55
PID 1664 wrote to memory of 2716	1664	mscorsvw.exe	55
PID 1664 wrote to memory of 2752	1664	mscorsvw.exe	56
PID 1664 wrote to memory of 2752	1664	mscorsvw.exe	56
PID 1664 wrote to memory of 2752	1664	mscorsvw.exe	56
PID 1664 wrote to memory of 2752	1664	mscorsvw.exe	56
PID 1664 wrote to memory of 1064	1664	mscorsvw.exe	57
PID 1664 wrote to memory of 1064	1664	mscorsvw.exe	57
PID 1664 wrote to memory of 1064	1664	mscorsvw.exe	57
PID 1664 wrote to memory of 1064	1664	mscorsvw.exe	57
PID 1664 wrote to memory of 1472	1664	mscorsvw.exe	58
PID 1664 wrote to memory of 1472	1664	mscorsvw.exe	58
PID 1664 wrote to memory of 1472	1664	mscorsvw.exe	58
PID 1664 wrote to memory of 1472	1664	mscorsvw.exe	58
PID 1664 wrote to memory of 1564	1664	mscorsvw.exe	60
PID 1664 wrote to memory of 1564	1664	mscorsvw.exe	60
PID 1664 wrote to memory of 1564	1664	mscorsvw.exe	60
PID 1664 wrote to memory of 1564	1664	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe
"C:\Users\Admin\AppData\Local\Temp\7915f9345162f82655e0c9a3e9398e947896f9a5c8a3d10c627ab3d7a9d3f43b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:572

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d8 -NGENProcess 1d4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 294 -NGENProcess 28c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 254 -NGENProcess 29c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 29c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 27c -NGENProcess 284 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 29c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 26c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1d0 -NGENProcess 2b0 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2d4 -NGENProcess 26c -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 290 -NGENProcess 2dc -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c4 -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c0 -NGENProcess 2dc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c0 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2cc -NGENProcess 2f8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 304 -NGENProcess 300 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 300 -NGENProcess 284 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2c0 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2c4 -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c4 -NGENProcess 2fc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 290 -NGENProcess 314 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2e8 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 118 -NGENProcess 318 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 308 -NGENProcess 318 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 314 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 324 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 318 -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 320 -NGENProcess 32c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 330 -NGENProcess 328 -Pipe 118 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 328 -NGENProcess 2e8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 328 -NGENProcess 330 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 330 -NGENProcess 320 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 330 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 33c -NGENProcess 350 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 320 -NGENProcess 354 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 328 -NGENProcess 358 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 328 -NGENProcess 318 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1e0 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2824

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2764

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2644

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2512

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
1eec56d91d2668881a2c834c8ff73aec

SHA1
62a338d0acfff4260b0066810700c1696f0a2c1a

SHA256
0dc488c460eadffde1ab23ac83775e89a1848ae1b559e2b5e7176b35075d4590

SHA512
074d71b52d2eff516090ca32764b82000044cc37ab536e95956a9128d748944b866f2f4c86fe117c19153ef97f692fb8a43f8d4976d20e048e8d87f54d08a3d2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
d26d479c20a415f33da781b13330d7f7

SHA1
f7105205991e13820a7bde783916347f4547e4ec

SHA256
a586bc42bbfa98d089a72f42c3af2a22ad4caec1e2b78e00c856c27d1b4e9982

SHA512
5ce1618f173601765ccae0a8e6b97bf40af6e5ed4a11344d9ab5d467fce7e27f918cd8c6fe95a917a437a88cf76c0ffbad9fb5bd544064958a10b81796a3d06d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
d8a79d0b09dec7fbce5edb2919ca993c

SHA1
5bc0c909e083a7c88a86b1aed5e4ee32d080fead

SHA256
145cdd5f8f1b240058f83f2e5e98d7235ee9848aec2328130f037110c3adc98b

SHA512
23898a59655f047b014f5669eab28617cb146761a037237ffd952bdf97ca05978f9c46b5371b24426d512304dfa10c114d4ad46f8a7a383572e7f358e9637c84

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
2187a6a21346b3aa1869bea6e409d4fc

SHA1
a4421c118e6f4d70dad970b4059675b5c95cf15a

SHA256
14c73c0b390d0c55003e5acec19fa1965b4da9af27d4218be0ac3cf5e0cd6db4

SHA512
d2452160deb2e3e91b5eaa6dd414dbec47561d02c49489a41ae00406f96cd141387b96f6fceb55a8be887e7fc5fc990f81347de1d8c61237da4aa826dbd9ff33

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
20ba087e844e68fea42c5f764d1a9d83

SHA1
2aeb0ffe38f364cf6e7d7f98a4fb86f216b4b1d4

SHA256
b71d2729a2ba16329d42c7fbee21e46eb8abe8afdd899a99b7a117a3796714c0

SHA512
9ef4013030523daedbc4a1c96b4c013a36eb13a75fe69f718eaac7caf187389c9b6abcc41340ce857feccfd64861a26eb32ab8f8369de761c7b46a20cc5815f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
bd7ed14575b00752f4e504327a085b43

SHA1
2b214958736c02c934cbbe889de03e63334ed67f

SHA256
920c3dd7396b8c3a0bf6bd6a4256feb8375df0b0106c1924efd7d33451e00820

SHA512
beb7b971c1cf816182e5f96d50de66a40c6b66165e0bbc1b8ff0a959e7198ddc75a4c48cc1ccc1a85ccf60ef64b04d612ceeaa2e0ec5bf3cd0116b348ab88122

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3c75bc1e24580c4c6b771207f2c4e8ef

SHA1
2374fd7f4694ef2e196e9679da22151e7bdbc015

SHA256
794d1394dd86b1e6b3062bbc71a8910f5646cecf23b5e884f4c1a03a3ec2b25a

SHA512
2db572ec1e8d545276210bcc061d6f9889856e7e49eaf6ef5964232f99bd23b9becd83ac10907948399efe4eb9a02002ec046297ad8875382e82b380c957cab6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3c75bc1e24580c4c6b771207f2c4e8ef

SHA1
2374fd7f4694ef2e196e9679da22151e7bdbc015

SHA256
794d1394dd86b1e6b3062bbc71a8910f5646cecf23b5e884f4c1a03a3ec2b25a

SHA512
2db572ec1e8d545276210bcc061d6f9889856e7e49eaf6ef5964232f99bd23b9becd83ac10907948399efe4eb9a02002ec046297ad8875382e82b380c957cab6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
2aa2803d63ba36f6ddbf322b5c8d6cce

SHA1
bdae43523ad2daccf850e682d84f01ca6181de66

SHA256
55452dc15ee32b9d1d3b022e5343f925d96c8cd9cb1fd7f0d8774c711c01ee14

SHA512
72dc2b509d4573defd33e3fdf38d9418f03b5617a81715f9c3ccf3b8d50c38d655353ed8e2deaf6c14b37bed5f4bad04b746e71df998b55d9027b4120ed6dcd1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
e62e7e439eab5a2ffef5eb923d84c1b5

SHA1
3598f29504a882331574328c1533e13e564ea009

SHA256
f15c67b264ff6c4523bf26658a31864a329ec98a3b697c0949e688a031f29e86

SHA512
613f663305c3d1596dc75041849db62846cf89f1c8dd15650b80276f8590b40fb6ccdb97de20c28decb944156f4a5637313d67bb5fc721d596cf1d3cbf5e7b0d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
6c56a33cd6b5f26c53d4c06a79b16a0c

SHA1
28ffd55e743a7ea2634a0018a55b7320649955fb

SHA256
61e1577b0f99a6f63d01ea3d54af9d1fc7c7c9420b475a620e368a46fbb0482f

SHA512
e21f09ce46b216e98d31a7bc41f47c8d85047d29d7416e0c4677c3d16bf0bc6b38bb77e3548331b23da10646eb90f13d3e1fe3b67061db11db26ea891497d379

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
3d3d870f323d6b6b67f35b1123928311

SHA1
8f53c181c16305476617d903fee69f4f90a5d59e

SHA256
a07a75f0e2a8cc9b4cc01bc5c43280588906acb9c999d4328c972f4dc2e996f5

SHA512
60c9d2b9510588bbed2301565e46f88e1613671c35850f32bf7ba688446bb4df08c1380247a33080143727b5a6623ec26fa48853e2a3d6a23d1339500df7322d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
90e5917db8c8da7d01a097bebf784539

SHA1
7934920cb27996204429e55f90d004934e23925d

SHA256
0a902aa4512b5503211163030f499b1c2d8079b8741878edeb92cacfc7044478

SHA512
68e7118bc5fc20a35093942e737ff2b05ef159c62f3e96374ab543fbfee931d11d7a15d577bc567770de0c09eef0c6df58a3e3a17ec74c8a6a7085c2292075c9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5b54c7e0fbb759ed66415f462edda62d

SHA1
5f9fab3f42209d06359287a658641cf9772edda7

SHA256
8c1da3f420238c73328ec548a9f815e3e13fedafdd7193b7fc858fe7f60b0f06

SHA512
974fbdb16bda7ea78b91f0e43fb3b4ad495a735d7aebc78133209daacfe0fb59ad14130dcb31f4f72c99f003a7dc1f065b2a0bf395419dc9ee2387d284234915

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
efed545555843a6b052e136e0613ecc1

SHA1
f1ab80e854ee3b71f31f986a9f033516d8019efa

SHA256
6096c144e7c2dfda18d0ccd420306c7517b1617234b78810c91548edb49f7285

SHA512
1f609768c3284a4df786b6801cd5e8f3b377ab430fc1c6e87ef554d6e1fe98e2c2d683e0f0e05e7177d3174f936d3f34a45629666505f03b8e25191624014685

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
efed545555843a6b052e136e0613ecc1

SHA1
f1ab80e854ee3b71f31f986a9f033516d8019efa

SHA256
6096c144e7c2dfda18d0ccd420306c7517b1617234b78810c91548edb49f7285

SHA512
1f609768c3284a4df786b6801cd5e8f3b377ab430fc1c6e87ef554d6e1fe98e2c2d683e0f0e05e7177d3174f936d3f34a45629666505f03b8e25191624014685

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d4125b2529bac431d510c8d2469db863

SHA1
83554713a2d9771efb5d6bbcb3121f5938b55501

SHA256
b4d1a6f586edb62767622c0d88b2c597c8ec306ae0dd004bf86b9404ed576641

SHA512
ef2d27f508d7eb6679fd04f8871d6b8a65eff2ac8b454ee879a28074e5033d36d55d615975dfb035eaeeb2d7da9cc810ee368b1ef75e6a67bf8a18b197372ce9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
2dd383fc538568a194d935430bc70df8

SHA1
2a19e50dabfd319a528b3993f7f9ebe3d915482a

SHA256
799b780c74359c3bf80fe095a78054ff7c583d46fb253ef8f0e9e7fd0ab96047

SHA512
77e2b15898a9eff6efefc1837f70e5fd7a96a15137acd9061d2d3962c986eb1459b5dd53ba2802d82079c523676348fb3e6a0d147898512005311dbedbe1d9c0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e7a70fcdf8d9fc176028e6a87661d5e1

SHA1
7b595dae5603905646bd2c14b8779f3fdd4a148c

SHA256
7bfb3fc2e9d31b39579821e514ec6b4c7ca7a063b36462c785111435517b4971

SHA512
d0e7c21365588096a436b9d997afb18b0342d0f63bdf4a7fd49c2df57cc915e413f116eddd6dfcfe2ea3d54f5bd9de9027b41c56c120eb043065914d9501d6dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e7a70fcdf8d9fc176028e6a87661d5e1

SHA1
7b595dae5603905646bd2c14b8779f3fdd4a148c

SHA256
7bfb3fc2e9d31b39579821e514ec6b4c7ca7a063b36462c785111435517b4971

SHA512
d0e7c21365588096a436b9d997afb18b0342d0f63bdf4a7fd49c2df57cc915e413f116eddd6dfcfe2ea3d54f5bd9de9027b41c56c120eb043065914d9501d6dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e7a70fcdf8d9fc176028e6a87661d5e1

SHA1
7b595dae5603905646bd2c14b8779f3fdd4a148c

SHA256
7bfb3fc2e9d31b39579821e514ec6b4c7ca7a063b36462c785111435517b4971

SHA512
d0e7c21365588096a436b9d997afb18b0342d0f63bdf4a7fd49c2df57cc915e413f116eddd6dfcfe2ea3d54f5bd9de9027b41c56c120eb043065914d9501d6dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e7a70fcdf8d9fc176028e6a87661d5e1

SHA1
7b595dae5603905646bd2c14b8779f3fdd4a148c

SHA256
7bfb3fc2e9d31b39579821e514ec6b4c7ca7a063b36462c785111435517b4971

SHA512
d0e7c21365588096a436b9d997afb18b0342d0f63bdf4a7fd49c2df57cc915e413f116eddd6dfcfe2ea3d54f5bd9de9027b41c56c120eb043065914d9501d6dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
abb178a5912155b67884c4e3897b74d2

SHA1
2ec4f2893168f0fc02d0d398ee597cc76f1c2840

SHA256
293af3374fdc8996f36d0e242b4b85736bc171c1630386887c880afe3ab0514e

SHA512
9594f64f88e09225d0ad8213881b8897214ed76fda36a2c0974f4a26d02db65d4e5b880c4149d9d54436906e8aaa1088d0d98f6138486f65f4a2b858bd430646

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
abb178a5912155b67884c4e3897b74d2

SHA1
2ec4f2893168f0fc02d0d398ee597cc76f1c2840

SHA256
293af3374fdc8996f36d0e242b4b85736bc171c1630386887c880afe3ab0514e

SHA512
9594f64f88e09225d0ad8213881b8897214ed76fda36a2c0974f4a26d02db65d4e5b880c4149d9d54436906e8aaa1088d0d98f6138486f65f4a2b858bd430646

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
d544955e7ed4404cd97e996aa9b42159

SHA1
2a1390e9e512922586e72818505adf4ee8294253

SHA256
8b4a66e5713526caaf11a52bdf77c7103c45cfc30f68c9cdc814ecf5cd65dafd

SHA512
e69454ee2d2b9976a5455c8686a64be8906c6de7991fd84546c4a0b29303c5295e6418554c9caffa3e1ec32a0d1d862cc49ffe8fa6a6a797c115360273f616e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
be2097b9def794fd942aaee2e2b0483f

SHA1
fae1d3ff5874ce99839b57c6916d10f023a7b16b

SHA256
97678f5579c55638a222bcd5391028eebf8d7f47d090ec9c33c5b8fb61684aa9

SHA512
b7f462e8dc6cb8488a23f199b290dc1ee04c564ddc8bacd10f262439a0c5a8d96d751ac9119edbb26b748a9ac6f2a5826b662affc026e1c05ebbfe205fac72d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
243e644ef8ea9431c69fa3c929a92723

SHA1
03fb52c6411d274f850bfeaa46b36b0168e9d58f

SHA256
ccb0b7341cc8ee80fa5693fe1cd007f7fe154854b93f9a3c7d76b8991ad96793

SHA512
493aa3b8db991f2c83e7b049851a0b98151d2000941eab3fc506a8983b024b3e0829c78544a5b7b614347474e602281c9319d3360caf6bd46c724f3eedc55444

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
29896ae824353ea36d395ad3a1a28f0c

SHA1
32f9e905876e0e6d1a15e71095569e9adc361f7c

SHA256
ae240676807ee67ce6bc965de534e52324d63715321118dcf25f3d2ea5efccee

SHA512
e096cf44d2674e6f5e24283bdab63ad8ad7bfd916eebac4fb3bad173c6f0e7eb4a0da485843d0803f7a1ac9c16be516d7ffb0b9a5a8ef7b9de497f9d5d54bc52

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
b5d0e3da8933b3c2e1ccb576d9e2553d

SHA1
d688a5a6290ac6b3ee93e7143324e0a587a279e0

SHA256
8fc3aa8b7c5142ec53d9093932d04af6137f347190cc76b262e08f7cabb68715

SHA512
6c6944202a952a9584cb47a956eaebad34a603e86194c96bc9fb364afe5857f04bd24f4cc19e688c8ed4c926f91879315f8dc0d326e9941cb4025c76e4c97b6a

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
670efa250e6630ab8d269af5087f8501

SHA1
8c1fdbb4ae0d6b4359bdd52f71f3544099bfca0c

SHA256
acaa7be3c7873c00c96fed58c04b8b0da8d17c70a17c6f604e1d783a9b27f7e0

SHA512
76f196c628724947d2bfae2df93c6dabc4e70fdbfcb84d20a4b93932c5bdc4c14e4c63a74f62c5706ea0ba1a9f33376e1f7efeabcae10b1f13623d0627d326e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\99cac16778c04165501d0b280f8d5c54\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
e0e0d41db0389c475c361f4c4b269980

SHA1
2971c9e4d3e464461df56fc0d57b003b4e42c395

SHA256
589c97cae16d9567c80b285f37dbbed63c385a1c2e32fff8373145f560865555

SHA512
57566d3c0b74eba757ac67ce43ad93ef3a7e762afc8ef3b3044155b978f43ef4e7d603e43a8e87fb3f99047b6630a7d76070d34eacd3728f339f0fa395067581

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b1286062b0f35fbc6e34e3ab37127ea2\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
9181a899c037ade3a230cb78531d1410

SHA1
465e2af771b100b464134293338e0fbdb2dd509d

SHA256
192304eeb2d2c5e068a1bd96b833a9f4f0539967ebdbcfbdbe21a6a866159d05

SHA512
4278b2ec090282025456533936f466ef19fb05aabab0cdaeb1dbf4dce70d42eff7d50172aee4f50b851eb2a1f60c4e56eb1af23489fa715dc72840a78daa53d5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
9f561d7347d17e76e7047107a79bdc85

SHA1
b9ae30c4b3ab22391120562376fa5311a7fedffd

SHA256
6d726a4599735be0f0d1faa1b47586d2d4fe34daa7224581e27d3fc552d5f57f

SHA512
ddbfefbc431bbeb59ccab4174b506b0212a16976c062974de953102af4715669b28dc1469d56bbf1e241523c434245c36ccb9b4c231485439420d61571f80ee7

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9f561d7347d17e76e7047107a79bdc85

SHA1
b9ae30c4b3ab22391120562376fa5311a7fedffd

SHA256
6d726a4599735be0f0d1faa1b47586d2d4fe34daa7224581e27d3fc552d5f57f

SHA512
ddbfefbc431bbeb59ccab4174b506b0212a16976c062974de953102af4715669b28dc1469d56bbf1e241523c434245c36ccb9b4c231485439420d61571f80ee7

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
2af4da2db3d3315d05bf5ed8d63105c8

SHA1
e6b5273f1a83cceb7384744018c30ecc7b359ffd

SHA256
ce19a5ff81b6812f0a5f67dce985e9f8139891adc1fad5db789eaa10879ae999

SHA512
b97695920e8afbd01460da0040e4bea79495cfcfc06a9ff461e1ff6267684a972a6cefb55b4a37535bff9f4e7e74aeec43e0f81df10602e983ca08e80455a9ea

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
2af4da2db3d3315d05bf5ed8d63105c8

SHA1
e6b5273f1a83cceb7384744018c30ecc7b359ffd

SHA256
ce19a5ff81b6812f0a5f67dce985e9f8139891adc1fad5db789eaa10879ae999

SHA512
b97695920e8afbd01460da0040e4bea79495cfcfc06a9ff461e1ff6267684a972a6cefb55b4a37535bff9f4e7e74aeec43e0f81df10602e983ca08e80455a9ea

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.5MB

MD5
670efa250e6630ab8d269af5087f8501

SHA1
8c1fdbb4ae0d6b4359bdd52f71f3544099bfca0c

SHA256
acaa7be3c7873c00c96fed58c04b8b0da8d17c70a17c6f604e1d783a9b27f7e0

SHA512
76f196c628724947d2bfae2df93c6dabc4e70fdbfcb84d20a4b93932c5bdc4c14e4c63a74f62c5706ea0ba1a9f33376e1f7efeabcae10b1f13623d0627d326e1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
26afd9ec3bf30d04e22f1b1bc984c8d8

SHA1
2480cdbbf79f9c1c18ab893583aa59700128cdd0

SHA256
dc2862df06b234066b03d6732e35b6a56bdf552991906171713713fc7e139ef5

SHA512
fd81f7852098dc2f8fe7137445b04eead971112026b541321d9f2840b47dbaa17b9f48c5fb7959e93c19738ddc06c283af1a8895de1450357c9cf03631f20108

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
efed545555843a6b052e136e0613ecc1

SHA1
f1ab80e854ee3b71f31f986a9f033516d8019efa

SHA256
6096c144e7c2dfda18d0ccd420306c7517b1617234b78810c91548edb49f7285

SHA512
1f609768c3284a4df786b6801cd5e8f3b377ab430fc1c6e87ef554d6e1fe98e2c2d683e0f0e05e7177d3174f936d3f34a45629666505f03b8e25191624014685

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
2dd383fc538568a194d935430bc70df8

SHA1
2a19e50dabfd319a528b3993f7f9ebe3d915482a

SHA256
799b780c74359c3bf80fe095a78054ff7c583d46fb253ef8f0e9e7fd0ab96047

SHA512
77e2b15898a9eff6efefc1837f70e5fd7a96a15137acd9061d2d3962c986eb1459b5dd53ba2802d82079c523676348fb3e6a0d147898512005311dbedbe1d9c0

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
29896ae824353ea36d395ad3a1a28f0c

SHA1
32f9e905876e0e6d1a15e71095569e9adc361f7c

SHA256
ae240676807ee67ce6bc965de534e52324d63715321118dcf25f3d2ea5efccee

SHA512
e096cf44d2674e6f5e24283bdab63ad8ad7bfd916eebac4fb3bad173c6f0e7eb4a0da485843d0803f7a1ac9c16be516d7ffb0b9a5a8ef7b9de497f9d5d54bc52

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
b5d0e3da8933b3c2e1ccb576d9e2553d

SHA1
d688a5a6290ac6b3ee93e7143324e0a587a279e0

SHA256
8fc3aa8b7c5142ec53d9093932d04af6137f347190cc76b262e08f7cabb68715

SHA512
6c6944202a952a9584cb47a956eaebad34a603e86194c96bc9fb364afe5857f04bd24f4cc19e688c8ed4c926f91879315f8dc0d326e9941cb4025c76e4c97b6a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
670efa250e6630ab8d269af5087f8501

SHA1
8c1fdbb4ae0d6b4359bdd52f71f3544099bfca0c

SHA256
acaa7be3c7873c00c96fed58c04b8b0da8d17c70a17c6f604e1d783a9b27f7e0

SHA512
76f196c628724947d2bfae2df93c6dabc4e70fdbfcb84d20a4b93932c5bdc4c14e4c63a74f62c5706ea0ba1a9f33376e1f7efeabcae10b1f13623d0627d326e1

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9f561d7347d17e76e7047107a79bdc85

SHA1
b9ae30c4b3ab22391120562376fa5311a7fedffd

SHA256
6d726a4599735be0f0d1faa1b47586d2d4fe34daa7224581e27d3fc552d5f57f

SHA512
ddbfefbc431bbeb59ccab4174b506b0212a16976c062974de953102af4715669b28dc1469d56bbf1e241523c434245c36ccb9b4c231485439420d61571f80ee7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
2af4da2db3d3315d05bf5ed8d63105c8

SHA1
e6b5273f1a83cceb7384744018c30ecc7b359ffd

SHA256
ce19a5ff81b6812f0a5f67dce985e9f8139891adc1fad5db789eaa10879ae999

SHA512
b97695920e8afbd01460da0040e4bea79495cfcfc06a9ff461e1ff6267684a972a6cefb55b4a37535bff9f4e7e74aeec43e0f81df10602e983ca08e80455a9ea

Download Submit
memory/392-451-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/392-439-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/392-455-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/460-468-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/552-453-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/552-452-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/552-424-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/552-418-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/552-406-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/572-110-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/572-97-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/924-187-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/924-194-0x000007FEF3EF0000-0x000007FEF488D000-memory.dmp

Filesize
9.6MB

Download
memory/924-324-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/924-318-0x000007FEF3EF0000-0x000007FEF488D000-memory.dmp

Filesize
9.6MB

Download
memory/924-393-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/924-319-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/924-461-0x000007FEF3EF0000-0x000007FEF488D000-memory.dmp

Filesize
9.6MB

Download
memory/924-344-0x000007FEF3EF0000-0x000007FEF488D000-memory.dmp

Filesize
9.6MB

Download
memory/924-456-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/924-195-0x000007FEF3EF0000-0x000007FEF488D000-memory.dmp

Filesize
9.6MB

Download
memory/1016-186-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1016-192-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1016-323-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1016-183-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1352-171-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1352-314-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1352-172-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1352-178-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1664-115-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1664-184-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1664-114-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1664-120-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1716-420-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-419-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1716-376-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-352-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1716-351-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1760-162-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1760-155-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1760-297-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1880-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1880-168-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2028-269-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2028-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2028-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2028-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2028-140-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2028-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2512-414-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2512-299-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2552-132-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2552-276-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-278-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2644-288-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2644-293-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2644-281-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2644-294-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2764-274-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2768-153-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2768-16-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2768-17-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2768-36-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2772-130-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2772-107-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2824-165-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2824-166-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2824-141-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2824-311-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2824-142-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2824-279-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2824-148-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2824-169-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2980-470-0x0000000073AB8000-0x0000000073ACD000-memory.dmp

Filesize
84KB

Download
memory/2980-313-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2980-303-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2980-315-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2980-325-0x0000000073AB8000-0x0000000073ACD000-memory.dmp

Filesize
84KB

Download
memory/2980-427-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download