06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443

Analysis

max time kernel
116s
max time network
150s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
Size

1.8MB
MD5

92587081f842ffa5646cc94e151f6482
SHA1

00745cce0dea244957ea4ab48641b9a94246fe94
SHA256

06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443
SHA512

84586e6c729676ec45f554713623b0b8ca376763745f3374fef75b7461c56706284ba976e64be330f9efe6806f0bf375ee3b55b37f3e3b05afc20637efca1fbf
SSDEEP

49152:fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WArgDUYmvFur31yAipQCtXxc0H:fvbjVkjjCAzJNU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 62 IoCs

pid	Process
480	Process not Found
2064	alg.exe
2800	aspnet_state.exe
2500	mscorsvw.exe
1468	mscorsvw.exe
2576	mscorsvw.exe
2196	mscorsvw.exe
324	ehRecvr.exe
908	ehsched.exe
2436	elevation_service.exe
2656	mscorsvw.exe
2828	GROOVE.EXE
3008	maintenanceservice.exe
2712	OSE.EXE
2028	OSPPSVC.EXE
600	mscorsvw.exe
944	mscorsvw.exe
2704	mscorsvw.exe
2020	mscorsvw.exe
1252	mscorsvw.exe
716	mscorsvw.exe
1688	mscorsvw.exe
2312	mscorsvw.exe
1912	mscorsvw.exe
1520	mscorsvw.exe
712	mscorsvw.exe
1068	mscorsvw.exe
2636	mscorsvw.exe
2132	mscorsvw.exe
848	mscorsvw.exe
628	mscorsvw.exe
692	mscorsvw.exe
2112	mscorsvw.exe
2556	mscorsvw.exe
2628	mscorsvw.exe
1000	mscorsvw.exe
2208	mscorsvw.exe
1268	mscorsvw.exe
376	mscorsvw.exe
1520	dllhost.exe
2352	IEEtwCollector.exe
1576	msdtc.exe
772	msiexec.exe
2636	perfhost.exe
2056	locator.exe
2816	snmptrap.exe
560	vds.exe
2992	vssvc.exe
2572	wbengine.exe
1552	WmiApSrv.exe
820	wmpnetwk.exe
1948	SearchIndexer.exe
276	mscorsvw.exe
1392	mscorsvw.exe
2620	mscorsvw.exe
500	mscorsvw.exe
2796	mscorsvw.exe
2872	mscorsvw.exe
1380	mscorsvw.exe
3004	mscorsvw.exe
1660	mscorsvw.exe
540	mscorsvw.exe

Loads dropped DLL 21 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
772	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
776	Process not Found
2796	mscorsvw.exe
2796	mscorsvw.exe
1380	mscorsvw.exe
1380	mscorsvw.exe
1660	mscorsvw.exe
1660	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f6d6058b57b5c9d0.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\GoogleUpdateBroker.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{85B76C81-BE13-495D-9DA3-6BCEA1172108}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\goopdateres_cs.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\GoogleUpdateComRegisterShell64.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\GoogleUpdateOnDemand.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\goopdateres_ca.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\goopdateres_fr.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\goopdateres_tr.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\GoogleUpdateSetup.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\goopdate.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\goopdateres_mr.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA.tmp\goopdateres_nl.dll	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe

Drops file in Windows directory 58 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6926C0D7-AD99-47A7-B393-6B6F8A08774B}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6926C0D7-AD99-47A7-B393-6B6F8A08774B}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA89E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB55B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAFB0.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000507225e4d02cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090492be5d02cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f055dfe2d02cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{30B676D2-3B79-4BCE-A06C-51DD0F2ADDC7}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f01023e4d02cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090492be5d02cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0997ee5d02cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030b413e3d02cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009046e1e6d02cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2672	ehRec.exe
2800	aspnet_state.exe
2800	aspnet_state.exe
2800	aspnet_state.exe
2800	aspnet_state.exe
2800	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2988	06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: 33	1536	EhTray.exe
Token: SeIncBasePriorityPrivilege	1536	EhTray.exe
Token: SeDebugPrivilege	2672	ehRec.exe
Token: 33	1536	EhTray.exe
Token: SeIncBasePriorityPrivilege	1536	EhTray.exe
Token: SeDebugPrivilege	2064	alg.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2800	aspnet_state.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeSecurityPrivilege	772	msiexec.exe
Token: SeBackupPrivilege	2992	vssvc.exe
Token: SeRestorePrivilege	2992	vssvc.exe
Token: SeAuditPrivilege	2992	vssvc.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeBackupPrivilege	2572	wbengine.exe
Token: SeRestorePrivilege	2572	wbengine.exe
Token: SeSecurityPrivilege	2572	wbengine.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeDebugPrivilege	2800	aspnet_state.exe
Token: 33	820	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	820	wmpnetwk.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2196	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1536	EhTray.exe
1536	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1536	EhTray.exe
1536	EhTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe
1736	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2656	2576	mscorsvw.exe	40
PID 2576 wrote to memory of 2656	2576	mscorsvw.exe	40
PID 2576 wrote to memory of 2656	2576	mscorsvw.exe	40
PID 2576 wrote to memory of 2656	2576	mscorsvw.exe	40
PID 2576 wrote to memory of 600	2576	mscorsvw.exe	44
PID 2576 wrote to memory of 600	2576	mscorsvw.exe	44
PID 2576 wrote to memory of 600	2576	mscorsvw.exe	44
PID 2576 wrote to memory of 600	2576	mscorsvw.exe	44
PID 2576 wrote to memory of 944	2576	mscorsvw.exe	45
PID 2576 wrote to memory of 944	2576	mscorsvw.exe	45
PID 2576 wrote to memory of 944	2576	mscorsvw.exe	45
PID 2576 wrote to memory of 944	2576	mscorsvw.exe	45
PID 2576 wrote to memory of 2704	2576	mscorsvw.exe	46
PID 2576 wrote to memory of 2704	2576	mscorsvw.exe	46
PID 2576 wrote to memory of 2704	2576	mscorsvw.exe	46
PID 2576 wrote to memory of 2704	2576	mscorsvw.exe	46
PID 2576 wrote to memory of 2020	2576	mscorsvw.exe	47
PID 2576 wrote to memory of 2020	2576	mscorsvw.exe	47
PID 2576 wrote to memory of 2020	2576	mscorsvw.exe	47
PID 2576 wrote to memory of 2020	2576	mscorsvw.exe	47
PID 2576 wrote to memory of 1252	2576	mscorsvw.exe	48
PID 2576 wrote to memory of 1252	2576	mscorsvw.exe	48
PID 2576 wrote to memory of 1252	2576	mscorsvw.exe	48
PID 2576 wrote to memory of 1252	2576	mscorsvw.exe	48
PID 2576 wrote to memory of 716	2576	mscorsvw.exe	49
PID 2576 wrote to memory of 716	2576	mscorsvw.exe	49
PID 2576 wrote to memory of 716	2576	mscorsvw.exe	49
PID 2576 wrote to memory of 716	2576	mscorsvw.exe	49
PID 2576 wrote to memory of 1688	2576	mscorsvw.exe	50
PID 2576 wrote to memory of 1688	2576	mscorsvw.exe	50
PID 2576 wrote to memory of 1688	2576	mscorsvw.exe	50
PID 2576 wrote to memory of 1688	2576	mscorsvw.exe	50
PID 2576 wrote to memory of 2312	2576	mscorsvw.exe	51
PID 2576 wrote to memory of 2312	2576	mscorsvw.exe	51
PID 2576 wrote to memory of 2312	2576	mscorsvw.exe	51
PID 2576 wrote to memory of 2312	2576	mscorsvw.exe	51
PID 2576 wrote to memory of 1912	2576	mscorsvw.exe	52
PID 2576 wrote to memory of 1912	2576	mscorsvw.exe	52
PID 2576 wrote to memory of 1912	2576	mscorsvw.exe	52
PID 2576 wrote to memory of 1912	2576	mscorsvw.exe	52
PID 2576 wrote to memory of 1520	2576	mscorsvw.exe	53
PID 2576 wrote to memory of 1520	2576	mscorsvw.exe	53
PID 2576 wrote to memory of 1520	2576	mscorsvw.exe	53
PID 2576 wrote to memory of 1520	2576	mscorsvw.exe	53
PID 2576 wrote to memory of 712	2576	mscorsvw.exe	54
PID 2576 wrote to memory of 712	2576	mscorsvw.exe	54
PID 2576 wrote to memory of 712	2576	mscorsvw.exe	54
PID 2576 wrote to memory of 712	2576	mscorsvw.exe	54
PID 2576 wrote to memory of 1068	2576	mscorsvw.exe	55
PID 2576 wrote to memory of 1068	2576	mscorsvw.exe	55
PID 2576 wrote to memory of 1068	2576	mscorsvw.exe	55
PID 2576 wrote to memory of 1068	2576	mscorsvw.exe	55
PID 2576 wrote to memory of 2636	2576	mscorsvw.exe	56
PID 2576 wrote to memory of 2636	2576	mscorsvw.exe	56
PID 2576 wrote to memory of 2636	2576	mscorsvw.exe	56
PID 2576 wrote to memory of 2636	2576	mscorsvw.exe	56
PID 2576 wrote to memory of 2132	2576	mscorsvw.exe	57
PID 2576 wrote to memory of 2132	2576	mscorsvw.exe	57
PID 2576 wrote to memory of 2132	2576	mscorsvw.exe	57
PID 2576 wrote to memory of 2132	2576	mscorsvw.exe	57
PID 2576 wrote to memory of 848	2576	mscorsvw.exe	58
PID 2576 wrote to memory of 848	2576	mscorsvw.exe	58
PID 2576 wrote to memory of 848	2576	mscorsvw.exe	58
PID 2576 wrote to memory of 848	2576	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
"C:\Users\Admin\AppData\Local\Temp\06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 258 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 26c -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 240 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 280 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 298 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1f0 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2a0 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 280 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a8 -NGENProcess 240 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1ec -NGENProcess 2a4 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 250 -NGENProcess 290 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 274 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 1f8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1ec -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 1ec -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f8 -NGENProcess 1d0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 270 -NGENProcess 1d0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 270 -NGENProcess 1ec -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1ec -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1f0 -NGENProcess 290 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 2b0 -NGENProcess 1f0 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ec -NGENProcess 248 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:1508

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2500

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1536

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2712

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2028

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1520

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1948
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1736
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 65536 696
  2⤵
  - Modifies data under HKEY_USERS
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
234KB

MD5
987ef5f4aaecb2876ff5c8dc19dff750

SHA1
13a4b129cc1d40e9853982fade2c1747e8ae6def

SHA256
2920a6538a1e5286cf23cf8c9d8ba09d0014bfdd30f4a8cd44238ad0bcb60bfe

SHA512
d7180e4f7dd0478e5988c61ee707530db33002be60772de725d6651eafde830bd2698db0d4d0b218e54cace75228826f45051e37757e4214a265e1d1b11af30c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
676KB

MD5
cbdf1dc046ffca200245b1b8ef05d435

SHA1
b93f3872ecda23f75cd4d2c601bbc3fe3b5bd66d

SHA256
513d231e63a0b2f3c1c370afe9e3a1fb6fab85a0f8a2f1100d654909e5a39533

SHA512
3626a39bb0cfff2f844450651f3e0d45ae3271b9e4937083047ee5d412548afa05c28a25b6683f9aa96cb912cd4f2549fe213261f4f0e045b0d263a7a038cb62

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
522KB

MD5
85926c1d6f204d30d5edd304e8282b07

SHA1
415be779041d3a9d02614ac426a954d025e30a78

SHA256
03a27c53314c0933ca512d9a5913be0576d5d3301bfb9c14784bac0e8984466c

SHA512
1e6727b870888d7b8873fbbda3fef17e16a3a2847e63138fdb48ba09d59926853082724e56fb2398df551897b913f9577c5feb7ef00b5d50c67f3c6497f14b54

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
507KB

MD5
8ad4064b4d17d2d2c9c04e68a245389c

SHA1
b29fb59e6d6c2bdd2887ac93fca34ef103b69a6d

SHA256
6275ee5a847d33ed6a377601e41c25df181e8ff2d0e3c80433086003926ec66f

SHA512
01efc4b5fb37f4a0312a7a4c67f94a3afecef83ec0e9c2efe885ea9bdb25b332ccd5c83dd8a91e73e7fcebea92ad33e72a491b823eccae05787b1ae37937d92e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
97KB

MD5
57644516182efc62e0d29ffd88d9cb84

SHA1
4f7371f1c409110ad7db9cdfdd14580034603bc8

SHA256
e91110404600bbb66f016858068a863ead31a349fe88387f67fe7ff5633933a1

SHA512
526326ad1cf9eeaa737c3d9c09ffd6caa857bad0f282a6d2827421e994cfa46897e2169e4af48718109f910068011ed9480da5537b92bfae7abac787f00d4371

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.5MB

MD5
12c4bbcf8c2392a69dea77e5fbc42449

SHA1
d575e7734ec557c66d9e174522f8943b13af003e

SHA256
3c0eecaeaad3d61ad4528333eef31ddb7c99d5bf85c47b0a58e2d558610bca14

SHA512
0b2eb281d6615efced63a36b050ca6904df6ef84165e7266d4f52224c13f395005c10a0aee24011e29a65a758c3147255ec775609cf23e9b28a8e567abe24304

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
426KB

MD5
75159335de8b342e3219edbaa2b9ca95

SHA1
56be9be9f4a78bcbb56fc9895c4cda535b57d803

SHA256
269d9b67057c6bf0f659d6379dc6bb37eddb03c8e0188e6fa9ac4dc7efbeccbc

SHA512
d83d4c7e19605fee4876fdf550ab2b16f3d441f29c08de3bf666009dd13dfb161f829105ff2823af9cb279b905674387ef826bf23315fa24ec1495771dc75448

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
192KB

MD5
761819658b3d634c7f93d040de8f7647

SHA1
74fdaf19d35b2d5d8b019f1e188bca248680858c

SHA256
704642599f8acaa789c01714b7b0bfdaccbe3499cb3904a4725c45fed72c9092

SHA512
026122baed72d5255e3a028d906c1f7823810677267aae22e82a29efbc19d307c3cbe48a42397e476a4b5df6e92dc10cf8d215246666306fff17a1733f7b588f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
126KB

MD5
ecc7e72f6a77cba32a340d5710513270

SHA1
3081792ece483fb7049bc8f01675307de46cfe7a

SHA256
897277446a11882f94976420aae40712e344eb1aca47bf41b4229dbd6a0609b7

SHA512
5980d658145c7aab9a284f1817e750425b0da33fe79ef20566a54b1afa32a8cdb49a589cfceeb0c600e964c76f641a77f8a191c56471573eade14df4e7c0bcc6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
38KB

MD5
dee64a13b0a6242be6d9ef65ef456e6b

SHA1
d1339373d00e7c44d1a5abd937da846668c6da7c

SHA256
33c6d0fe9e3bcd8037be8aa33525b5ecc8468f67af438c2ef00eea681777e972

SHA512
af3efa3a3c39aaa50b68a37dc507ba23f991d8f37140a4ac83e3291b6f94c125e2f31c90624b484c9487436d92f1ed37cb187c4ebc3cf94cc93f877076e699ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
49KB

MD5
1aa43362e0807a26cbd5d1df654702c5

SHA1
d3020d63872e14acbd132d98077be90cd0f88ba0

SHA256
854c0ca554bf83aac9b886d0101ce3ae1cdc99fedf2d0caf875fd3ac302d6298

SHA512
abeb157b53722072cf311b8a03cfbf1a62963b8f4fcd977ce70004fce8efb4d2ab7196dfc91c62d91bafd2abd95266a5dc81e0536418ce9406ec0be91178ba7c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
140KB

MD5
1027f43510bfec63cf5e2869e39cd80a

SHA1
a72259eb9edadf39c26b94bd813cea431413632d

SHA256
7a8c590881dd2d787067cfc71fd0dc27084d368248398d0db35b3f99a8698e68

SHA512
3949baaea4911d76247627fb13a5a03e2e10a1146946fb7467efee9cf969f9f3f744533239c42c177d9389ad054e47568ddf7162b17234ae7a2f047980ea7f64

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
113KB

MD5
d27c7d28df92be56f3ac3b799631ba41

SHA1
6e602ec3ac855a5635c0ee0d8365d1d9ee9d20ee

SHA256
ee6be7762df63015d8d6d877802f8de99990b343264e0dd0b561baf48c4d5630

SHA512
4b83ece431660b3ef3d3d58438486672d9b2c2b91c8424bd173f52cb31269aafdbe4765d9dde3359464ae6474e8bc04c39e620689fa2d112e15b2a35aac51040

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
77KB

MD5
239207b7b147ca641e8dfcf95858c2e9

SHA1
17403550763f0ac52e1bf62560eeaad47e0572ba

SHA256
777dc068dadbf03e4cf794f6cb0e9055278b4e40154472524dad5b7be1cd2cb4

SHA512
78aeeae06d28adc3053efd563e174703a68723806e061031f09895649f8809d8377fdcfe3b8b2ea2da00862e8cb005c050f5c3d109f4ba20edc32c01b67a208e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
385KB

MD5
0f5720b6c2b77e2ded86a79b0e8c20f5

SHA1
f060a3331dae32998cfe6fff21bb1aa127073a92

SHA256
445b088dac29b98b2292687eb2c4870d0cb618fc0c6f9907303b05fea73820a0

SHA512
a4e75867c71fc164e8e413c0d991e31d66d734367bc31ca03152530b4a06faec0be04559d3cec0da9b527b61f7a957113be85c353e5f0c73ffd3e0b87b578a19

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1KB

MD5
24a9baf206930a663e99f1b647bfb85f

SHA1
42e5a9659c06e77251a1a8ec6b4442fb9303c605

SHA256
3a00340009bbd6ba3d7252c240ecc3e2bfd116434101766240a59d2ee1b2d5be

SHA512
7e4712113f79b0c7e251d437a876910eec116e95ec4240f7d67ed728d0abda925af9dfdbdad805b811dbbea7a452526f16e5f3b9138d6281fa49f118eefd4946

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
124KB

MD5
ffcfd326d77ef8542d56ebe580b63b80

SHA1
19e7792aa415906e3ad960a813c95b4c5fb549d7

SHA256
a85532aa468dbf8a701b4f3e8683f896e33a8d77492639c9bcb697dd6cbae31d

SHA512
97aa53ee82125909bd7a4373fd984eebe56d9dfc07ff5d454cbf6a0b7338348108af01033ca3aefed886ad634cd6b9c11278a19ec7048c9335ecef09c06fb473

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
326KB

MD5
b5908ac9bcd30d32aca98aa76c6e9951

SHA1
253e5d972bd13cbda8c094d18434226837bef774

SHA256
b63c26c8b5c24671c9b0175dc7cff5a8989650b9e724bcd951d2cc2e08d7800b

SHA512
d9b54cb22b56eb5fe3d7f1dfe1f4e5c538874fe05aedbf067e68fd00ad5a24f513c0da46477ae29a7bd898d46e3a40763515e4b34632075c6c0c9aca1aab262a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
110KB

MD5
285395cf8d5778623d7e2e78b1f33fb4

SHA1
dc95dd58e026c6036bb359f4f2c0b54f5429d1a0

SHA256
adc4dd41b1a2243398fc9321c443988af697f4fe11b766fa4ce74c3b753f5827

SHA512
431feff1d5c54c569f12d2267a064fcba175971aec0f1016b7f5cc8d9a1b471e18eec19213c661e2112200a2d1b81ece78c037e81563f812cfec678d62090dc8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
620e93d1a920f2c336c6d4454c344c8c

SHA1
fd3e98cd74d0cc11436372efe2278d6b52609ab0

SHA256
4c1b6d0f5f31fd376d4a0d7cf1ce447b494a82d6c138ba61130b9632fbf97ed4

SHA512
ea0b5ffc6194890541aaf240e6bdcaf5d352283b7e2a191301bfc06f2b33ddb6d472d8469180c0389b20db15ad652ad9dfde6d3651108c84ec930ddf3dd94d7e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
327KB

MD5
130710223f025d746d1be00080461baa

SHA1
aa58ebedf417fdc9de6d295c9cd07af415a1e72f

SHA256
4fd904528aa4072653d18f63cc1e0f81009a7e217766c4ac7fc457ac6d71973f

SHA512
4ae96666081d2d1c2c6cf76bf40770ca8e10f5b7f12ebf3caba990c045b35eaf02aec6e6685368767c4f10fdfcae906436a8da66ce20fd7cc62a51fa9d9c184b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
188KB

MD5
9f055e93e981766553ea4cca4fcaf374

SHA1
717a733b343003683c1382d133c903848be65695

SHA256
b1705df797ce94bb0488d42851a9876e6665302a5f2afa487ec213253ae877e2

SHA512
f7e6893a5a37418f18d723514ba2227c9151148a2490e1bba27b355fe06a49eca737246d4302b0b5474254f26f34a0815c546c914cb824344208aa8cbb912e81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
25KB

MD5
e5388a729ae9a40ed790bf06e2279f44

SHA1
5897952e5dc8b51d05b6fab6ee4f0b1099e8cd1a

SHA256
ae9b00ad19a06d996645b259d8771056f5b60e47834b4277f11ac58b4db7170e

SHA512
9412de5f8a4234a631cd14358fb7575e7be6643d95aabd5854a5cc4211214e8b8343ef629a6c76cbedd8037491628831697a3d090f0be9cd77e4f3ed44a8e246

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
103KB

MD5
e4474bb49e6f4cf6fdb35d5b2c3f4d9f

SHA1
9c3e269a764bd00956443e8bea7921c5bab964b5

SHA256
1ed878b334a165023b44b1a2811e4c13f0667bda71c1a0e7452de1322ab37a0c

SHA512
3382a7e0cb239c350a0e805e72bdd1a8c9b66560e7d6b79f4bccc188728b81b66a113ad7e8b0480156f31b05f4cbf7775d8e1ce17683bee3904c0ea1ec2e8a5a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
82KB

MD5
21484805e1bf055520e1981e76396aa0

SHA1
a84c6252af83ea63867cec54ff81929bd7ec72d3

SHA256
3b37a8d4db1f0aaf46b9b70622c5812cbc605f7f4408fe0e72414a03f9bbb252

SHA512
4a690b730f34f1b0de3bb3ed7b4c8db4896faa3bdfb3c5bd3291a44f9274b2e67134ff1bfa7cc60bc0c8d23b99328d1a899ee2afb6a97d3e9f38d2dd22636821

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
54KB

MD5
0f64ebba3af9d41566a8e9f68f4100c0

SHA1
369f324ec054282c3a4c0290e3161ed7e1d646bc

SHA256
31ec8557f4a0f64320aa0dbf7fb754ff6999d71ce37290d10126513d3e2ff2b4

SHA512
43562d141c6c44e4a0b50f397dcfde857887ab84819f87b8210e9319b4573488dd420770e9f471d073389548389557a003adbf31cbf809d747659a4e3f17aba2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
254KB

MD5
a9d1127b9d40d47ad8d6ef41a225125f

SHA1
117b551c8e921fcb6505ac3c777e0708e2f9cf0b

SHA256
2daffc1afaf06a1009e9c68dd126b56e6ee5feb1c59ddd49f9ba780767c9ac8b

SHA512
1764aa24c079c8095165dd761c89e264230a2934a7f06aebcc9087c0323f21f3b24e14a9a83a6b9158fbff8224f1341e2c59f2a95740e8bd69d1cb527aa95389

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
207KB

MD5
1c80791c4f8651d7525ebe3a5b5a3da2

SHA1
e04fa3c228a1cad77aaea000e763e5ef95a5dda4

SHA256
2435a9b86e24df265da4b489e291347681d5c0216745148215e62c7abe277d34

SHA512
182bb74f87c34d6b532317b9b4c1b0ec5b07b5e481db7e01cddd4cd07d521c49a21078ba96b43cc59febd1ed919a01a23aef1bd91ff1ae9044f7b3b994dd7675

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
136KB

MD5
fe7d0808fb82cd3069c01f3503c442fd

SHA1
d620100dbd75aa32e7d84e38db15da31f9104c5c

SHA256
4b6638c732775bc4d24b301dc43a907f3785a5d7b0494f84c104529e437ec81e

SHA512
a12c373ce02a14f0ecffc1f39ce6d3221d6996b79b721c13b3bd7d714cbf8f0839428b932eb32139512faba0f430c2f86a66294e4888fed1c5d960d9aa6f9045

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
271KB

MD5
854b777b83e958e3e02a1e8dfc31dda4

SHA1
e939759cc3d157f9440deb6e726887f3cc9833df

SHA256
c889b83cead411811793e470b425f06b9fbb5bdca44a0b794812caddae25cb62

SHA512
162afbec59fc9e8ab9011b4df3a92757f88e5212cd733ba22110e3eeae7e61ee17429fcae4321233e6ce37ee8a3cf191598baa354317c65e8ba97f4ebe473423

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
88KB

MD5
f845d5082de83831de71a3eb8f5b02ba

SHA1
011039aa4b5b3c84356e548e1dd253099ebf8b31

SHA256
865d836710383d4d223b1de8641d35915f0fc303c1a15a07bc140b3ff2a22246

SHA512
e9a001fa3e7b887acbb9c49f51679b701f65711036824127da22da974467e849e3537c4a867b3202fa5f332185bded425a6d75ac16912a66d0ae336e0f8f403b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
104KB

MD5
8ee86ad7f4dea39b039f99482e5fa728

SHA1
75e86f31456470981cae64655dbbeb818e4dde38

SHA256
5f5b215ac14d68cad90c57888263868f0c740af9b96ebcf839d8a438161f14cf

SHA512
0df0e50a29b2c0cbde94b535fb37b531347333596638b03780a7159f7a0918a05021783f7aab9e341f43ec4b114ed56b0e6a954b8fc3bbbdc46c3c822d90e6a8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
46KB

MD5
d26adf1dff473780aa46a9477f0585e1

SHA1
c3711ebbef064b118a29f3943f27f624c5e59e1f

SHA256
c7b8f175f20f80cfd2b086cbe4fd01e3aa410bcd0e0aba35643e24530fced4be

SHA512
004ae815fe7f5f09fe85e40e499655567c5824cef65570a9148520b6996d5e062229c89338d00118fa4a0ef8a69d6053f2c47ee1dc21815894894bb89f46327f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
5KB

MD5
43b7f784a62c87da763b12a271efecb2

SHA1
ec6b3b6a14c5dc66e272170cc054d8beac07ce73

SHA256
9cebedf38032f2be3f1556607228984f35d7e31113b17875336f0c641721d0d7

SHA512
7e30e77020e305efef439dcb2016dca6d232258223271ab0b5ca39257c918390a66e8fd915045e899584294c1627835aedf0743aaeaf76e0fece2b04e44e0c9c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
a01c04d89009a2884fd822aa6f6abe3d

SHA1
4871d3fafd423c44ad0c497bbf707fe05760be6d

SHA256
1c4a06d6dabc260836eeabf747f87a2d67b32c61d4eb2c3e966176d4c738d994

SHA512
845ad3c7cbd9e894fafa00b063aa836cbad76d7475f88dbb5fe389c99b6e1e36e3b797249dbbce3b6b34fbbc206a74e7621a9b5a388193cc60f0ca17fb95bb5f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
73KB

MD5
7abd67f4217591ac02e9fa0d2969cff1

SHA1
560d9a6426dec938afa138ff536c5ac566b49bcb

SHA256
047efedc280512ce44846b2001ab342a455aa7bd23273ac8b51cc881cd40e121

SHA512
19f2d980accc1875bd2f704f6cf598298c00996ba058a0893e1ee8f786428e6b16110492eca180a33f791d22b4b8cb90628d628555eb58aaa3c4f4e70eebab39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
335KB

MD5
eff92d99ce83c6200bdde1d97fef3507

SHA1
eb167d75c797accf66ffb3f992e216607a6f2414

SHA256
efe2b51cb592d10385018832cbcba950eed3b82c905e4ba321e7c4db471f34f9

SHA512
81c781422cedc19f03604f64c5c3124328404b3aac8c85866802918c580327de173c72d2ccd7961f1bf458d40abe3a65231810ca07731e930633c7ba1b34d13d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
165KB

MD5
cb39c1cccfda25b0bf4958f94b844728

SHA1
e6cea31c66ddbf4c7c1649a2f78978c6945e2e78

SHA256
75da1ab4a3a020396036ef5bcd013ef343379c34ea807861bc6ef3390a078432

SHA512
b5bc28fcd1020d683b90872c45e7c710d541e34004b117c29d6d5fc493fc13f1dbc436ceb4c9ebb611bdc5e68ef5fb5820a4194b34d746ac0072ed4f941630d6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
164KB

MD5
4d2aa16f7dcb70965f48346982218163

SHA1
a010188195624352c48dad3334b1ca356e4eeb10

SHA256
cd9d5f177c8f741a669e704a01154e5f74045c584ac66a6918a1a7d7670159ae

SHA512
ba45645e7aa19d8957e54f931817ce1b0bab318c3b659ca59111939b44dc43f7e744560c2778a7257354e71f3586ab610998691ad8fb9e017bd7cae0aca7d67b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
122KB

MD5
d517d4bc7da79016904c476e55d2f5dd

SHA1
31534771c8cbf116a102056a62e8aac64c4c4fd1

SHA256
1a548126fb09c3edc3fa040c8c7e33499a6013311cda3c1409e0865a49622dba

SHA512
ec0a742abf25d62110074e662d6eb65afac01c5f4d21396df84cc2f34838b0e96fa70fef52414df52f67d5cf18125e5d10daf0aa1e272f5f8925724116da00b1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
172KB

MD5
2a661f0032e8965ea32bae6ade27bf4b

SHA1
c654fa0d924468730775cf512c9b111b79d30d47

SHA256
1cf34913b67374c55cf8e5c77c0cde8ef11dead423bd6f6da1d3836abb814f51

SHA512
767f27a36c8e6d4d1753c317bda0c7ae79e81bb70ac4ea29a3f855e22e5f2b27b88f0ef5c5bb5b6b58841f664484ce078f7ed181a232e2e084514a4c1d5ae5f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
109KB

MD5
56b674334520590283b70b93ef0d570e

SHA1
1471a5c5c11badcb7070c47d95e955dc1b8436cc

SHA256
6311924b436527bceabf48ed61c4bb99db46b3a4f2e643f54e419ee53ddac6ad

SHA512
f15cca496eb314c62b6736d02a39d0b39aa5825ad90068272b3e368313141fd86de61777b8576dea0ef198a035e3f07081471bdfca2b13889dac8d4034daa2d8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
ee241b65f8e5a7230a84ae7fabf698bf

SHA1
6d2657ca14f70c812224a62645a0a80dab4b2000

SHA256
1b8730c5974ef0f54c66c9faab5e922341f27e699cdd6e5259d53923eda93661

SHA512
188cb376f84985ac2e9f0a6039807bb0a99d76d6edbb6d9ffea1bd6f2d12fb4e4dadaa5f53df244de757e13240b7aa560b41386e85c19ea98f860f7eacc0df80

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
295KB

MD5
1451ae9ca28cee7db6d9a1347c91dea8

SHA1
24844cd892ad1c3b02b995bc38d3ef36462b9a3e

SHA256
de382f9b2a9f185e55c7dff3005a6222d928ba27687c5f28968ef5045d3c2a88

SHA512
360a19a5a964f64e335cbb6c5cdb31e054a65e52a06282c6d10231f88c23804a285230585a3c0de220fb194066c441231cebae8aafa4df7c5f5aef51544a4bc7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
198KB

MD5
a0565e6331b27422f89e9a7db0d71101

SHA1
55d0d37284c497c49690d9eb7ad3109ba860e3b2

SHA256
b58d0b9a33f50f91cf077908bc94b3cd1942a1e66c10509d666acfb2c761be12

SHA512
561bcea18d3d6529993c17f331176836f4a2ae771db07d83c71e35db70f1d6561bc7f024cf268ca3009b201091760db96a7b061c581500475698f6fe6d7848e2

Download Submit
C:\Windows\System32\alg.exe

Filesize
141KB

MD5
5cf3e67e8ec92c4fa47fccdd732f813a

SHA1
46ebe4b2423444be8fd9da4d93b7bbf9b5c59e9a

SHA256
4b99b574e8628ed58a5fe6cd39b7eba26e8070d6a137fbefb049fb16c5a25d90

SHA512
62aa1936d3f5a655903a6bf78ae4d29d8df59c4302ca7edb2dd27e2b068fdc38a76c76ff53b7799aaa7a74208da0e852fa35df1ddf6c4f87409c9d4eeae172dc

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
e047d466ce238b08d7ff0a07cd77cf0f

SHA1
eaa5f8eb8318020d8d624df6a42d2a3d50afa707

SHA256
f69061324e41405a01c977f236a3a15c822038d7b295c72df07d1d81aa8dcbde

SHA512
2ee490765455591509e39a6fd6d6705ae6700befb887983c0676ef03a58b58a666f5abce9170b2484d80c080f6551f99b5f59a9a67fefe2a1177898ecb62b7ec

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
672KB

MD5
751bfcda723ca2899f0930cea12030e6

SHA1
b87ebfe2b9493856d0ab63b20ef72dbe73ad2d07

SHA256
81a93acf8ac5b9a1c9f8062bd98046b59668ae32e63937451165ba750dbef9a4

SHA512
d2f24c9009ea82f98ba0c7aca5a63a9da7a6544de7758686d2df83fd8bae270584b6d5a940a7d9c814b54331225a1428345f9855d3e5f53c23efc48a69b3ac16

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
669KB

MD5
a23534c71c7165d9d6c655b76939c4ad

SHA1
994248f3722819f6d6bdd4b1d5c24e983e87a5ee

SHA256
9227df49bba6b3eeb1be2bf1f84fc7f9685072002ab40c9b93b9febba3a5727f

SHA512
756114346b2fb3e7c8a3db572f3a91ba44eddc9fd014fc09b59ebf9da6283fe6f679a8e7bf45f1530da1a457a0495321fe27fd6b21e83235c1a432d1c4af24e9

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
324KB

MD5
11d52570e97f5c65585914716ac3753a

SHA1
a7d3f883218cab4d3569157d5b45595e0a6b2693

SHA256
c614a3b26b0f1156058150c426242622633ce4a409683dde9192b1f9c56d5d5d

SHA512
a2ce3fefe13a4a266533513b7ef5773efae84116a862601bcea7c1fdeb877ee061f4799b00e43bc75f54fd9c659ad296f083656eaffa4ee7188fd67195e7cef3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.1MB

MD5
481a43e27bf238ee16066cc17179b666

SHA1
3a4582a8d5c648304f34d806c22aac3aad4ee58d

SHA256
d44a35a1cb93a3385bbf158a2505f2f497a370548cffb73c99bc9c333b728be3

SHA512
f90fde2874fbf85ce3a4cf311d8ab4710017d85c8f676b02e6dca34d42b661c9321aa2e20c9659c7f41a7b7ff89eb3525a80d120973517e5fcd440f3476d91f0

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
121KB

MD5
72c9633fbf55d479d62378088573f766

SHA1
b41c8c79c85c9eae679b2cee5d3819766cec1f48

SHA256
6c25b0a7a4ece1d689472fbee64b0c32b5d560bd5414761b06e4f2725d5ae395

SHA512
0ce1e853f24c14e0035a2471ad686fbd824d0d08f116359fddc7559e02a9aa35467e799bd10a653e9c60aee77901577733ba8d71983cf12ce883b4e1b6602e6f

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
58KB

MD5
f7f3dbbd859c545204a3df1af5ad9213

SHA1
9182daadb592b43485bd7f19cb40fda56768553e

SHA256
3d5734108831afd614199a33924608c993b56d4a40f9cdd9e3232bf540a3d1aa

SHA512
00bdb1dbcef1e643ae68b57508214c947900c46c069025f48b0cc07f56ef405d022b15afa9958af2dcbbd4aece8917bfbf88c2d6cea0ce730c63578ba9f3edd7

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
e953a9360361ac3540a4e286f5262034

SHA1
6702f58fc3363aa557ec171af2abdc2a984fd60e

SHA256
49262302ad82c21579fc125c181a0cb92457e074a8437e31d4f9d6594328bba5

SHA512
fce2c7345f0a3e6d5532500ae1b85ed2bc76952430d221bd3ad5700c4eed48d4c00ca75045d3a4ade5723b3a8bfea24c9e99a459bbe52b1651bb82eb5ffe2f62

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
473KB

MD5
36fa65c22868b4513f090a1f6ef2ed5e

SHA1
55add7e51138c04647cc5cf625437301d816d7b0

SHA256
3abbe41470fe7acc444cdfd37fdab1973de855dbc47896c383e216adf61e2ef0

SHA512
9d95c4f6bba05e614fa6dcdf214a179d3bb8c297a6db08a8b82942632e9955ba9489b1e1485c7003d8e5d5a60dce795270a36c49953800cfd3ed948df1a66142

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
304KB

MD5
fb6eb676c4d46206cebec91640f70701

SHA1
58219fa5489e4bba336df0137f8f6f618cd9394f

SHA256
f7e48459121eaf2fff408b0df6d3f9d6583a17d776353f80aadae68d66f32739

SHA512
dbed23a547839f5b3a8fcd0b63bb664260bf97c95d621536c6475a106af9d546dc65afad7df57958cfe76c7340e187a95fa9b682b7016747d4386c5908cb1b0e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
43KB

MD5
0d03519443961f264024f35db0f3275b

SHA1
0fc2720ebeae1212cbbb8f1a31f9d5b1b620535c

SHA256
478b2471c60d9a778d69b5bfb058ef696129cbfc13ee9ee7ffd3f09d401e4812

SHA512
b7736917bfa9b48e0a41d6d7bc1e0cee560f71e76f732f197632f51706c25207e7be0a7d3979b963e6985b011e11b79dd5e388da73f75ea1e9ac2690d28e0a9a

Download Submit
\Windows\System32\Locator.exe

Filesize
396KB

MD5
b4cb92cbb878183589b038ecda7d02eb

SHA1
81708a1e81514a4b8b3584238bdcd6194edb7fe9

SHA256
39140efe9eaaa540d7299a2a2a7dca1c6650f43461ca2c5643194680aa400512

SHA512
487dbae17a82b74f2e613af5df6c0bbe22d0e74f250256eb38276eb8d46c3a6d548a0545cb36c3bb9479d450117eed95e9fe5df2859eb226723f993804930d50

Download Submit
\Windows\System32\alg.exe

Filesize
141KB

MD5
62089cc4f28e1081c5e6fe1b83b1e3a5

SHA1
69777b03c6bc7e9e3581791637ac4169725c40f0

SHA256
9923c707a4fffe7997d68360322071ae022a953f8d064db84b916a7d30fb012b

SHA512
423a1547801897d0249fcc24ed9c98b33091bf7d8909c49b4f0341df14924c6d157ca4863456e478d3875c841763eba66b9665d954bd6606618051ff492c6fab

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
e61434eef25788112f6bdab05ded11bc

SHA1
759689e41ab1ab05242b3975a1c2001fb0d2dd0f

SHA256
3e568518860616734057c2c414d3a5feeb09f0a2f3ff1be06ba1cf70d316b693

SHA512
49aee7c7c74447bcf0baae96249357de014fdfc6ffba7230f2dc142feaa1b5b333434eb517b279905dc6a5e9a7ff28768fdf71716bf7a88a1d67ddea013ab850

Download Submit
\Windows\System32\msdtc.exe

Filesize
662KB

MD5
6203968925a99d1766e6905d868c8860

SHA1
7a1380cd2535dd41a9a13d7c6e0a49233ccd51ef

SHA256
4c791cc4e7d79d96128d3537cce8ea91ccf56e9b8730e31c7c6b594767092274

SHA512
361230d41aa7604d600d3e546bd282c06f8d1d348e88d9fc4ee96875687bb3e03c22856b873bfb965c2896c0b7270fef1d7805c0eb76a62a25974a821717acb1

Download Submit
\Windows\System32\msiexec.exe

Filesize
472KB

MD5
cb293684c1edf9442ce8a941d5f71b98

SHA1
ba4fb25794a68204fd874de46f82b452add9e574

SHA256
d7ce18b7dd2dc214bb3dac47d7e8740184e140a63f37f4b9b610826c130d6ae7

SHA512
1ff6b022dad351fdf5140cbed6503e252fbb67e15efe8f03aa7b41968225148ac0b073f71e019b350b531e65bb8bb940d6c38bb163833a2830bb8541b0eb37d8

Download Submit
\Windows\System32\msiexec.exe

Filesize
356KB

MD5
eb1f57737a9f28b60e135122c246a46c

SHA1
88bece269d014a1df291a4bff2e846607a75f124

SHA256
dea79aef29b85222769164b26ec643885973179c47e584bab79f9e55e6fd5491

SHA512
7caf578c2596895dd05f1633f47129f9473e33bbfc4597c4b95aca27f97bd204a72068301a3c9ec0d494d532216c069998ec053694e74b2bca3ba0e45ceeaa43

Download Submit
\Windows\System32\snmptrap.exe

Filesize
123KB

MD5
17c5dd2aeb6f65b47806d235036c9336

SHA1
2d6b5e40ff07f90dda092343f1994c7df1bcec27

SHA256
d6e1459841abcce4f07e7bad88f3e854db5a83909004cec28fc6e4d1e42da776

SHA512
3f17d2d6b927afc6d45775b5e600b17c861c6637c3f74e54750dc2ae86bf0f443ba47779c0b26ede14fc35248bb7e60530fe59f8aee7adbb1974b33f45d0143d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
116KB

MD5
c4edbee1bed661c334a18d90dd5c4abf

SHA1
03a6afe11b8b94613d5678ec4b053daba79bd57d

SHA256
371924f23487b952e9a34cfbc0c339cfd1efa67d947dfc6bf8d75e6f35161334

SHA512
ac95312796fa5deaca5700f602aa2b8537d0659bb9efcf96fc7de956ff89027b79b209a922d7872923ef35c4757a3e7b99a088b50bc6caf650140d22e65b4199

Download Submit
\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
e1d5ae2d58b8b1e19e026739ececa4c4

SHA1
c6edb1e9efad7bea2a7504765d0d4b899edc493e

SHA256
55b6ce88d1b790dbd494d321676d4d2f4d11b0515383d0ebe304da200f69cae4

SHA512
f9a46ff9f6bed2c01f17c65c43c5b2ab42750a7ec43ccb48e1ec2bdef453a1ef2479611aeee8051ddcd8b6b1a238a9d9bfcafab4ad62d6174f0c12f37d84eb77

Download Submit
memory/324-357-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/324-278-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/324-184-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/324-176-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/324-180-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/600-438-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/600-417-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/600-472-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/600-473-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/600-370-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/908-277-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/908-194-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/908-413-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/944-542-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/944-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/944-476-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/944-471-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/1468-128-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1468-121-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1468-170-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1468-122-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2020-575-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-570-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2020-581-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-481-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2028-501-0x000000006F878000-0x000000006F88D000-memory.dmp

Filesize
84KB

Download
memory/2028-360-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2028-353-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2028-356-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2064-13-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2064-157-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2064-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2064-55-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2196-158-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2196-165-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2196-159-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2196-345-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2436-281-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2436-470-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2436-290-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2500-105-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2500-111-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2500-139-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2500-106-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2576-148-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2576-142-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-143-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2576-289-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-380-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-340-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-394-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-317-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-319-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/2672-316-0x000007FEF4240000-0x000007FEF4BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-341-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/2672-500-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/2672-487-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/2672-477-0x000007FEF4240000-0x000007FEF4BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-312-0x000007FEF4240000-0x000007FEF4BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-314-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/2704-551-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-539-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2704-571-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-572-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2712-352-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2712-343-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2800-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2800-178-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2800-95-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2800-101-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2828-321-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2828-350-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2988-272-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2988-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2988-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2988-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2988-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/3008-331-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3008-329-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download