1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d

Analysis

max time kernel
133s
max time network
170s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
Size

1.4MB
MD5

68da115bca1b6ba8009d0e53a00ed0e3
SHA1

f6ada9d74bd572bbde37e4969902fecc022e7c07
SHA256

1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d
SHA512

36b9f0f7b2453a53669449ec7673a781d5ddf91f98feef3f6ca79ca1e29378a911ae247e6b20f2160d6124d8d0854134b1c7b469cd5e617a304b8de3b4334da6
SSDEEP

12288:YO9B+Vc8quMPLjg4YqLgvB6dMSJ3oecwJE97O8k4QrsdJW3kFk9huIFYPSbwL:YO9BiqtL+SgvqFE1d3ddJW3CAqPSbwL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
464	Process not Found
2416	alg.exe
2808	aspnet_state.exe
2956	mscorsvw.exe
2396	mscorsvw.exe
2596	mscorsvw.exe
1192	mscorsvw.exe
2184	dllhost.exe
2524	ehRecvr.exe
1668	ehsched.exe
2980	elevation_service.exe
1440	IEEtwCollector.exe
2084	GROOVE.EXE
328	maintenanceservice.exe
1164	msdtc.exe
2800	msiexec.exe
2568	OSE.EXE
1068	mscorsvw.exe
1524	OSPPSVC.EXE
1812	perfhost.exe
2308	locator.exe
1564	snmptrap.exe
2576	vds.exe
2712	vssvc.exe
620	wbengine.exe
1352	WmiApSrv.exe
3012	wmpnetwk.exe
2864	mscorsvw.exe
2500	mscorsvw.exe
832	SearchIndexer.exe
1728	mscorsvw.exe
732	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2800	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
744	Process not Found

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\locator.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c6d8d534c0d5d3a4.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{40741604-0A76-4B23-9274-B1438ACED080}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{40741604-0A76-4B23-9274-B1438ACED080}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{60509F9A-A46D-49A7-8A1E-0E69EED67402}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1548	ehRec.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3056	1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
Token: SeShutdownPrivilege	2596	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	2596	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: 33	1572	EhTray.exe
Token: SeIncBasePriorityPrivilege	1572	EhTray.exe
Token: SeShutdownPrivilege	2596	mscorsvw.exe
Token: SeShutdownPrivilege	2596	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeDebugPrivilege	1548	ehRec.exe
Token: SeRestorePrivilege	2800	msiexec.exe
Token: SeTakeOwnershipPrivilege	2800	msiexec.exe
Token: SeSecurityPrivilege	2800	msiexec.exe
Token: SeBackupPrivilege	620	wbengine.exe
Token: SeRestorePrivilege	620	wbengine.exe
Token: SeSecurityPrivilege	620	wbengine.exe
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: 33	1572	EhTray.exe
Token: SeIncBasePriorityPrivilege	1572	EhTray.exe
Token: 33	3012	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3012	wmpnetwk.exe
Token: SeManageVolumePrivilege	832	SearchIndexer.exe
Token: 33	832	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	832	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1572	EhTray.exe
1572	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1572	EhTray.exe
1572	EhTray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2628	SearchProtocolHost.exe
2628	SearchProtocolHost.exe
2628	SearchProtocolHost.exe
2628	SearchProtocolHost.exe
2628	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1068	2596	mscorsvw.exe	48
PID 2596 wrote to memory of 1068	2596	mscorsvw.exe	48
PID 2596 wrote to memory of 1068	2596	mscorsvw.exe	48
PID 2596 wrote to memory of 1068	2596	mscorsvw.exe	48
PID 2596 wrote to memory of 2864	2596	mscorsvw.exe	58
PID 2596 wrote to memory of 2864	2596	mscorsvw.exe	58
PID 2596 wrote to memory of 2864	2596	mscorsvw.exe	58
PID 2596 wrote to memory of 2864	2596	mscorsvw.exe	58
PID 2596 wrote to memory of 2500	2596	mscorsvw.exe	59
PID 2596 wrote to memory of 2500	2596	mscorsvw.exe	59
PID 2596 wrote to memory of 2500	2596	mscorsvw.exe	59
PID 2596 wrote to memory of 2500	2596	mscorsvw.exe	59
PID 832 wrote to memory of 2628	832	SearchIndexer.exe	61
PID 832 wrote to memory of 2628	832	SearchIndexer.exe	61
PID 832 wrote to memory of 2628	832	SearchIndexer.exe	61
PID 832 wrote to memory of 2504	832	SearchIndexer.exe	62
PID 832 wrote to memory of 2504	832	SearchIndexer.exe	62
PID 832 wrote to memory of 2504	832	SearchIndexer.exe	62
PID 2596 wrote to memory of 1728	2596	mscorsvw.exe	63
PID 2596 wrote to memory of 1728	2596	mscorsvw.exe	63
PID 2596 wrote to memory of 1728	2596	mscorsvw.exe	63
PID 2596 wrote to memory of 1728	2596	mscorsvw.exe	63
PID 2596 wrote to memory of 732	2596	mscorsvw.exe	64
PID 2596 wrote to memory of 732	2596	mscorsvw.exe	64
PID 2596 wrote to memory of 732	2596	mscorsvw.exe	64
PID 2596 wrote to memory of 732	2596	mscorsvw.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe
"C:\Users\Admin\AppData\Local\Temp\1c37f9f17355f0c56871b895b82ba3301333bef5f9896cb94456370f5ab2770d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 25c -NGENProcess 250 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 240 -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 250 -NGENProcess 244 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 250 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2184

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2524

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1440

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2084

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2568

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1524

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1352

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-452311807-3713411997-1028535425-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-452311807-3713411997-1028535425-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2504
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
45KB

MD5
7cc3bb96f47927795821f69fda9cc62a

SHA1
19a098bf7d9060ded44380b91ca02189e5bb7b9a

SHA256
c03a5c60796caccef445ec343b26a6db89cc73375a17b7faa6e0ccc65978b11e

SHA512
b8612bd86ddb0b5554f969749b723b5736ffc853976dc2e25b1a41e0457989c7062e818f4c4775a67816efa6f69caedd19d703f7dd5bd0367d85bbd40d9b4516

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
9.9MB

MD5
6c5bd12bc224882c7715eb55ec85d338

SHA1
00d2c39afc519b4518ab4a1395522642df150c35

SHA256
b24f6cf301623dbf963e38f8851ec1271a6c7fecebf6618e51521d693c73a534

SHA512
85e421dc527e8411b3d31f79805bb77cf691050a425bc8ba899273f105ae66961b5aee4850013a94af30ec21fbb5043eb6dcddb403c912a889efc03cda626d89

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0d42c419bed45ff859eb81ed469148ac

SHA1
bf1b7953bf765ee4ff193b0d01e1a6cfa7497edb

SHA256
bf65bfc84ef58ce67a9b2808fc85587a3db4c17cd3d74ee55c80c3b4cad913f5

SHA512
5e5b453819e08b113ae19c18367ea01bd57fd988f0c8682b4210e0f5f3055b6806e9b64c010ca9fc3f7976d3446df52f46980869e8138976c4f55c5add7971dc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
4.0MB

MD5
cda7efd474ed6455c124176909977943

SHA1
0e1ca079c3b91f9c95707f02caba80bb041db7c6

SHA256
963a0efe75d28f5e77a7e97be8d9296db453c15f63164de26151eb55d33b79a3

SHA512
520d3ae00c9303408f4f24efab9b621a4090c97339a9f85de95dfcd1311fad5000d1c0923fe73b5d8f92b9bc490ac75eddb0778d73980a2e9bf9904f332ce021

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2801ee1495456d0b77b4b997e00e1729

SHA1
ce99ba016b5e3687292dd56fca09338e19da7417

SHA256
e7913c1a88ba9cd72c8e6295d84dafc8bd7e8515df37f502fab062c85db92556

SHA512
e1b6c3298b616f8ca90e86188a16363ad22ff7aeff6e35057e2be36d416254b87b579f2afd72d47736e0366118db2c314ae4af7efa331bc5d381af2625424211

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
245KB

MD5
378217d8ef6a532068521fcba089d117

SHA1
f94f601a219b1ef9ca13f1d21fb2a2cb40a4881f

SHA256
01fe85d25fa3527dcdad15be2a6e9fa5c3762009214b4ca517002a4dfb5118f1

SHA512
d4f89043893eff7a8ee6f5b6de45c366ec0099f4c76fa8ff0a13c1fcfe774eae3d96207e12ecb951f6cfc520cfa6a3aa1087f71b549981d23af87df0a62b3700

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
00a7604f1472c261fcf7de5ce68200b2

SHA1
51536211917f7100b5a8ffbbdc4dd562bc541f15

SHA256
b4d7be52f624830556a167959323ec02bf8b598626fd19ce763cc3454990b573

SHA512
0ff4f77c1af437f17ec2e7ef68167e0c2fc54183d2b73a1195a522bb34e36e033968c8a3b8960fbe5bea667c7353720dff670edf9d03460412ad26b0d49e871f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
451KB

MD5
e91b39f8a466807c886b2f0011503ae3

SHA1
2501953769dabb45304fb9e90de7dd53af9bd9ff

SHA256
69d061f06894b83d2f7c205b84b6614df96d74d5ee3f1098bcdbbd67bdea9056

SHA512
524fed5a460de81061dc87e2ae7321fd0e54471a01f014a3efc7fdc0c94ea97cef12aa5b02a729efdef7c45b4a498f8b28c7ddc969f85a9c0ae4206af0c1d40b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
495KB

MD5
d1009bbf97ae03ce1ec70b7dfd3d8972

SHA1
10d98e9728a550dbfca61ca15bb0136e70bdaf9e

SHA256
3ce09deec7f12fee3ea7be45470fec52e4ba1e732586fd31eab228303ec6e18a

SHA512
325e3de4acec0336ff71edf4899f746d4e94d07cbe42334747c2e911abba1793f566ce1222787b3735d9d5859302f352542be44a3572f8726661bc69c1ca97c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
422KB

MD5
0d3640d4b170bd5498351d1b4f273843

SHA1
16a23c1fbc4b4c5e5cfd5415930868eaaa8c8d9b

SHA256
c6b7663e7a3993a2d02a3f4d2a05b5f26ed09685a3c3f3e561b26810f5e23eb9

SHA512
cae71da38bfda3f7a0ca58c9a512ba025f4a77570d81db5d47dc91fc695b79c0fd50668b96d2e04405f232aa3471fe4bfcf7777882cb7c882c6cc1172310e9ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
3f39ba1f23b878f2e58f58cfa9c4dca9

SHA1
dd136d3a3959ad9a468e5731be59b33eaab7ef5f

SHA256
28b161dacca85c27b3c43e0f21355e220b932ccb385094e27aa1f1981aa11570

SHA512
a0d13dc88c1948b887b0a6efb4781c7d5073cbd92002f4f930955df017dc4a2b998c1485e9ce7f411e742631efe65271c902934502a6532b41e83969feb49921

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
101KB

MD5
0c84aa887d7e299e263e90c05f3f43b8

SHA1
5d1d8be51c2e0ee224490f1660e413061316c7ac

SHA256
9f602aa1d15dec970ed7d4b81f09f027155293460694bd18785153bb4a518b7f

SHA512
6ac8375c48a22a396cebcdd40ff3a0979eaa1eaf7700fd142f7b677e9c42a6508e454d2cc5b3651ccfd517166857f7de7def2ea498243814b7e2ed05ee3f4986

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
4f9a70afc71febf639639fc30e7bf251

SHA1
286bd86bfe35b736b9f65757bcd5d70a5941bc7c

SHA256
1c6bee7a9b11fef22dc28ceea4a159efd9780c0db8df207a6d8c052f8620615a

SHA512
cc018202b7352606e127e3bc7ea0a5f3e3bdb0273b32acdb06a04ba1de1b033ef5b4fee271a52a49b80540289c1bff13b931cf08091a077f0e8304180943279a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
707KB

MD5
cf8e1ae9d370448813b4bd94a8428020

SHA1
3fc6ea70a4fd34cac39862cdb9346d393d239308

SHA256
1f2100903a13ee3f1b24302d79c2860264a12de4bd1ad28204d522cf269da3b1

SHA512
aec4e73524bee4746b049c2f777a0b8ceeff11b9f3a573bc8e5af2273a31631a73a41cba43a42eacb40aac1377d5a6f9d443013b8ccadd43affb4c2a79c47488

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
365KB

MD5
c7dc1e032a722b33071dc9c4e9f4344e

SHA1
2d99a47a4940ab33013378f0feb1bf4c5a83c8b2

SHA256
78be1811dbd93dad17f4daadfdf6b9fdc7b1da3838f0e1d21180f6642774df3b

SHA512
ae7503f4fcb7a8be6c0da6e5bf8ca40b6b51c747034f0e196cd19f573b46683b57a31fa3811734eeb6cf96b3f15d6b40c8be2dd918eabaf53bbdc2c99a557fb7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
160KB

MD5
8da03cce3b33cdd2cc7d07ddc8cc3c3e

SHA1
c7c80040c6cf494189a700441ec73e7ff99c7a1b

SHA256
d2c434e1daefbf103513b5cfda53d81048dcd4508d79fbb47696994f82ce33c0

SHA512
864c23902a9e4f0486148a5651ee05eff0721fd13098729b7c8753fc776f34e8b6b480f8dd2fe3e4f25f5e8366c882181f80f615f585a4157414afbcce52b004

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
270KB

MD5
8dc587330f579122b812bf2d2300226a

SHA1
3459d8f38946ee99d38077083a9419df1e7e1ea2

SHA256
99d1de47230c4eda2b247c671fb5b0e6d18b82d4bd5c1413a3de7c6022157bfd

SHA512
457ca3faf0425b928bad23b312fc47f676b9fd5448609b5c812ee492f51a330b46b91da814ea2994c9d23ab68ab220f3d1b7a4eed4553911a430e4841627fdfc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
1968412b6655ede6c302f65f7a97bb74

SHA1
61226f6c6264c2da39974be9f434de104058f068

SHA256
e7f263a58bb5f36acd03a0ed6234bdd9158685543fb5db4cf48dbbf1bad2dee0

SHA512
3ee1c118e1144afc02a5795e4ce1066a0ed2434aab9a214a9191d8624f0838c00843cc6302d5927507acfc93cb5d6093959d11a6e07c4fe66725d1e8e65d0971

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f13b90e7b5faec22562dfc32653d812d

SHA1
678d4d538a35d9c7a515dd59b00a912ecebdf403

SHA256
7354d64e201ceba0a40ca609a014777e464eba9c4b391be2297b65cc89c3ab69

SHA512
c6a3c80aec765e76a9b0edf18897645ea1c4be178657317c486a6861d3a5f38d5e33b2f48483ad41a4005ae3677da70ecfb803e557ee6d8c8e3d9f3e83ae6f2c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
288KB

MD5
e63bb1bf32acbb98b16e671c868334d2

SHA1
fd71b3006b8f152efaf1d4a44edff51789ce0038

SHA256
9bda818c679c15d35af82b2adef2d4ce071dae1668fea17a80faa6861eb5e505

SHA512
db7f24fa86c7edac483f3bdf358c7a031175519136535b68d70a12a10dc8d28ab577fae5fb4f2fed861615ce313c360166e2869235ec8ae5f049f90d78a22c82

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
126KB

MD5
ecb9c2d216425c31717d3037568e5912

SHA1
f94b167e80a7bb3778e44c969c060b5151d716b8

SHA256
b4bdc6dd7effb95a1e92b8a7d68879a0ad9a93b1b377e63fd79ceef94d5ad9dc

SHA512
6681725bc9c2b2f2788d0825721834d31e76a55b4e3f3fb0555650da26fb287142a719b16457633b01935695b782a73863d0bc7b6a137093771a2feb3c88151c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
cafa23e2061f2d81bab28601a9da6caa

SHA1
69393a6e93acea4c2473254304baf1ca584bca48

SHA256
7762b45c2eb533d5ac20bf61f2942446f1138bef43ce535fb27ff0bc561061a8

SHA512
8a265f3823c76138925a9d4d88ea51291da0f4aceac95f4b7bf4f6578f21646022592427e1debb53f6024c7f7ea6d3bdc6333e1ba462a68e5aed231886c3f8d2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
279KB

MD5
6939bb7565d33e4ca570e5f3a4fcaffe

SHA1
90b60ee115f7c55f30eadf2abe76936b971ddb1d

SHA256
37d445b02ce72c64c4ddd614d8522da83dbedf3c6388f38962d0e5b233697b22

SHA512
43fcb46a132b61b5a8d9f704f4b775a2ab09118899755b5a31b73e19ca274eb08758a46c6d32a5919893ea2d7a5c10113c1e2ce489c1d7f80acb968c0f5e5599

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
8633eff85b4bdfdfb438dd7917aa5848

SHA1
56edc0d80104e900df42853442fa2dd12b92dcf2

SHA256
dedb5b78e4ada77df93c38e532804b6bfe8675ecfb93ac4635b97e375c065a7c

SHA512
a5bdcbc031e7cf6ee2f269ac21aa049d40fc304b0a49c014424bfbbf386ab4e994cc85551400399582afd19ac78978508bb2b43dc7214a0fc5525c46d0b9f2a6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
52KB

MD5
19f45058faf4f86ce3156230ed77abde

SHA1
e080b426c11310d34745fc4de29ed8e762127847

SHA256
087c948a1f32c07c730dde5dfc647c46ef61047f6c49f68d3325798209261df8

SHA512
105458a1844c82f788e916bf8fc6e562612564504d55738a00fc69d970fb777b5d7ca46cc03dcc6556786def53a75521c269b571e63d1df33cc00451eae880a7

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
69KB

MD5
dc06e2cb64e7599aba119c660eb07dab

SHA1
dd97ba93998ee79cee93db39ce96af9efa526e08

SHA256
82fa7933bd0ce4ee8b9b36463bc62b2ae3093a3050956c28b08f1d38e9cb2d83

SHA512
0ec3c19e30b52f73363465ada47a409f5a9bb056c731bfe6929799fd4dc53dbaa43b9cef1a310887898bc33feafad3754c26d6387e1b04eb8230d38c3bda1f82

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
d1e9d952daf01059a405059749357685

SHA1
40f2e7d8aa2798eb7e2a71b466a2cc7d52e6a695

SHA256
829d63d71a4853b79b9902768c710d74c2bd0aea038aa976cc8576e02d86aec6

SHA512
9867144381b0b1c4f7060297e515b6c900d6824a045a46211fc154059cee313a161b17b856ded7b69b4a8233d8b065f79020bd3d62e64de62ef96cb0d195cac9

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
769KB

MD5
db17af80ee1e2a6e6dc7e72a89d6be43

SHA1
3764a08d2f0571c8df2f4b20564755112ab8c634

SHA256
4ffba12a2ef17d4fc68fb7f8b6a0b572551ac36abe353220a47c80eb72a5ddfa

SHA512
814fbce69fab71a45ff54726613cf56811d81e3ca24fbf2d1f4b57ec36c753b13b95c18c0b01ff808607d149175141df488b4dae9a6c8c25b9e7d016392f3db1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
128KB

MD5
128ca94a20610ea4c73dea03303f3ca5

SHA1
44886fe7a095372aa97f98d0a544a2b1ec26ffb1

SHA256
30d3f3da490f97c4963d0602998758f96eae64667fd02feca266a2362df7876f

SHA512
edf7743b8d49971219a9009652df914c4e2926cd087797d65115cc3dfde8ff895eb0daa1292a40af78067588a169a66245235e1b62ca18fe7d7acb3e640c70a2

Download Submit
C:\Windows\System32\vds.exe

Filesize
268KB

MD5
bd6562113acb1fc58ef58f6f9b27016c

SHA1
8d5dcfce0a3545372fd56d77ccf25f875dbc3b74

SHA256
577c7080758fd804133c46794f411d8345ac907e7953af5be9fb43846268d7b9

SHA512
89d296325c5bfb9b9e49d3541788151478b5d3f1f567f5c3ca26cf263076369b3facb9d56768d423076d8846d3a9226af766581c09a37cde46cde9d4d1359055

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
90KB

MD5
f9c5a9f6ad13e5a295ac9a5ec61f98bd

SHA1
81f3f251f1a121b3da04d37ea73e30e9ec85e439

SHA256
69ba9444d09b5508623a2e2ab52c9873a3e12ec8f8c90a33a0f22b5b73eb5e8a

SHA512
2c314302d17e537e2329edb99ff8da137b742a8c0836d0f161cc31d53c564f90973a3ce8b3b099be7e8a6670534af2402b802b7afce5cc2425458e57b4f17e2f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
228KB

MD5
bc7d52f8848149980e223263cb0d7a28

SHA1
ccdb264af06103c02a23eb5ec281251b8620e38c

SHA256
4476743d3772f68ce5a0d60270acbd450490ef5fa013bea015d3891b685cbe6c

SHA512
ceda76e7a5919a5936deb929f7a3d4552116cca8085ba86ee16be7abd888e91ec2bcc094ae21d2b73207d14722355b4d250290b3622562105522606c0ca49d71

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
29KB

MD5
612b60c7c0981dbcfe038c86fd0ecf33

SHA1
42242909bd519ac5b5beefa1b6325816f59d2d6a

SHA256
ed434c70a291decf0549d351713fe71f53d1d91482646e74be3fdd0dc42bbb02

SHA512
bba4b8fba1ca7ec099babed0fa89c64d84eff6446e12dd1ae75029ab6573be209e43ace1dc423bf7e8c65d5e3a0614c84da4ae88353c045396bc7826b910af53

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
200KB

MD5
ac966c230dd1bca8f9f5e81f26a08a36

SHA1
dcee89126e7a13afdd6bfec68e8c80715e07066b

SHA256
ba7d56e4bb23c061be69dae9c52937952749856f6ce92a269751358f60f8837d

SHA512
5460a7e5720a3c794a92d97591e4d9727c63a34dda94cab79caf4915ba64daa94fce223b6ef7f1ecad69de75cd99199ceafa12b16665c8501f89e792678c5c34

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
525KB

MD5
43b606f7674c25f6a8ff48b8b8dd2053

SHA1
a13cbdfaea98447f8da8a7abcdba44aa6ca2e834

SHA256
40550c9a5825a559e2de18bc42fa5e4fd0c36bb33d95e8ef333ef772c210dff0

SHA512
6eac5c6cb9d9ebcd4edc5f00323a6510c98e14ee9cec866b3c9422ef2d9327a45ab2c2e7c92f5e6052a48ae7b2ae788567f47d74f4a7d76aa3c08f7fdf440392

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1KB

MD5
eff05e1170df28d59c4e95ba1c910095

SHA1
b6df712dd0edbbdf81652384a114b6786c46d54f

SHA256
9425c515834b7856091803a4689f9072e460cb74fddcbdaff58ed7001e326128

SHA512
36a62d694f95c2a2bdae63283d163ac22f12b6c52c1c6496d550fa46404bddf481b0e23fd501a3999feb817b28f0ac26118f1235858ba69b4bfefcd158034f4c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
fa641eb290482f00c0d3727d2502a9a2

SHA1
9ddc896c6be639dbb86f6913f7c09fc58afd9d09

SHA256
0b3432d9a7577dc43afef486c0c7c6ad4862cad854d0e537de9ccb72833f8b76

SHA512
6ef9a0913b4713beeacbeeafd27febdcbca80ea42c8801278132294c25f26744bdda80feeb859f37d70b7a7aeb05a6c88a752f0bb0339de6a18126f9032d874c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
603KB

MD5
15c05611c434341b629bb5ca7d3ba051

SHA1
d9e3249d322e7a4fbaecbe582ec46e4575bf8d83

SHA256
22e15952e372edcd4500856bd905ea6d5f0de3659cdf761abf378cd9da178325

SHA512
91e7ed2521ed18bebdd2164fabf550b2094be907c4b3d703a1751ae9e76b03a10c540a0f7c835f82ae1b35dfb32f10140b3122dccd4c55e897400b6df532ab48

Download Submit
\Windows\System32\Locator.exe

Filesize
469KB

MD5
5292c55189d41cde8c24792ebf339026

SHA1
24d7a2b8a7cc047fe74d6ac8a78b0aabe2823366

SHA256
cd486a8ae8d0f0f077d6d14ff3cfc94bb40c8fa0e131aeea97c6c838006937e2

SHA512
f410fd4fe6d8bc6ea883c651338879d8bf92665fe1375cf99d69b142f942a7597d1fc731f03fd26bae53c20cca303497baa124ea56745120dbc0f8ec94e79220

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
340ba3c21d813f680717da34fcd4d522

SHA1
568202c0c6055879b7421e30dd536fb81625cfca

SHA256
daaf89251d4f56a902f4cc1dcff111913e4044b7b99d1a4fc7d212a0b2467b7e

SHA512
7ea252dbff57c51b67edc628762cf21be2083a147e769b9b86f55760857229a9cc867b7f372d8039c15030161debbf5ca103cc810b89806435f5e1e1c9b58f68

Download Submit
\Windows\System32\dllhost.exe

Filesize
131KB

MD5
3d09f2ca9f438396e1609382a48b67fa

SHA1
9302c07747fbb0830e749f93fa53ddb7bd8340b5

SHA256
5b413d542c8dfb04b2f3ec5d50c4007427b90017c8a9ef3b9f2bf82e829f97a9

SHA512
faeb9da1a607eaef138dac923f9fb829eed4b29b654b0b38163692fd2c122e60ec4e25d2a6d7d5631326983944fff10e6a1bf97a0ec182f3a6371aa94ebc5f85

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.1MB

MD5
50a46bfbcac19d26c8d4a561368ae9f8

SHA1
96ec808a603b12027db6d9a6ac16e0409c6fd75d

SHA256
58df131a6f702d7f00db8e09bae9bdfabfd87e92491378a411cbf843f4e764dc

SHA512
0a558b781e6de22a55fd88c11b9e09f107f48ff18de66d9e39c7a2c46a6181250b463a14b98e2b6e2033e546e453625b154ae76b1af727ee5e3b88bae04348d3

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
774298a1bb5492b040859e95e86cb1da

SHA1
662bf775fc0b4d707a4eebb674c6bd29d880efc7

SHA256
c4e37844412b0da0f7b973a15f775acca0182f3c83ad871f84d1d3422b2880fb

SHA512
a46bf1eaf04898e4f5e7e5fc5aef84a90f00ba183dddfd3ce065b02d753cec0e8ff78962cf3313e411c21dc9a13d39a1b149232046d814f47075576913d194ca

Download Submit
\Windows\System32\msiexec.exe

Filesize
541KB

MD5
c97a9eb97b27c48941bcd51938673041

SHA1
8f688a42d608764137081c6a3ec9a94e48f3c5ad

SHA256
d8021915ef31017db662d873c2cc2af13ff4ce99a1729f18f4b0346fa099847c

SHA512
365050f5db5d060a04a2414435c531941b95d7d32f665c93276efcd6434f9d149dd05f591696a74b354dd7f12fc7c1ae37dc874d32e6b17ea2d0cc79aa92e34f

Download Submit
\Windows\System32\msiexec.exe

Filesize
633KB

MD5
ff17bfd01713e9c87d87b366fcc333b5

SHA1
38239c9a1e87f387f7e27c49ad4a15ac9dcac24b

SHA256
d7d7c367de2bdbb53a4a5a45b38aa191a82449a1f99162f79fe89c882ed96752

SHA512
964de78dd5a117c269fac3f72ac86856dcc4634b400b2821e1f5edb58f521d5614ca7914ca55dceadabe0dd74ef4cbfcc3d82b69e53a867fdf85f3aa486532cd

Download Submit
\Windows\System32\snmptrap.exe

Filesize
127KB

MD5
3372db36cf8ff4e16b2d07bc6925dfae

SHA1
75275b11dc5df2f6c0efa0456d960808810dd791

SHA256
de660d88e55bb4c96bfc255b25dd8fe18580c2e402272c7147b6f0a91efa60a6

SHA512
6d5d4100ac9ef0d00c609c7bc05034644342f225927b651c21db9446dd0658a47bcf53cb46b933547710ac1516f70726d08747a563c305394164572f4e23d8b6

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
175KB

MD5
017a6fcc1f57d214ca782a67bac6e9be

SHA1
67a8f8f978db666504ebb395f55b90d5e2b306e9

SHA256
8da21ad06572c030210c9a1e1d732e4b7e2367fbf95bbb26e7b55279c642f1c1

SHA512
06982535d0a067720aac306d2b05a3ddcf86674fd975ba0846cc9e696d5a1b8ca37f293728490abd617983f9e443a95bf1c523d9fd80b581f1df035335889ee2

Download Submit
\Windows\System32\wbengine.exe

Filesize
241KB

MD5
435968b80388f34828476bed3fd9f9df

SHA1
605e5e428a939bc3ff8b14009b6c1899e1bccd69

SHA256
bac8a083233f0c4cc53620f86f237393a5ad0fd3a61faa2f244baafde294c418

SHA512
23f250f3ccf7e5c8364e8f784e72e2eb55898d49d24ecda769c68a8d179425fabf9d7cdd49342759add6d036ffabdcc9434f5ac6d99e0c5eeb5a1b72a949f37f

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
108KB

MD5
13d90fa72d79506f9c5a1b37ca7f68ef

SHA1
103027cc89e6f16fabb8586ce60056871c4a3106

SHA256
3858e99cb99063d7623bb0eeb00437af06b77b09d934407a3a4cc8c4d072f5cb

SHA512
2b3561cb39a2792e5090dc74bcf6a45e2c387824b83ef86580f0bac1d8b9e77fff832c17cd7b9cb9eadf30db3f9b5c8feae0d3487b18b9e0cc94b6ca4706ba63

Download Submit
\Windows\ehome\ehsched.exe

Filesize
229KB

MD5
ef83d98c4ec6c026f4ab9b198a4bb674

SHA1
0f1aae2d6d0e55d9afbb6bc1301505236bf5d856

SHA256
aa271de7a6937627d98c54bf183a2c9b3985dece40eeb431076d207bf73c87e1

SHA512
6c7ed9339ef0f5db244ed35fdad3f61ced45e54749492d67800ec4bebbaded474c789d06ff0bd8be5e4147fcebf471ba955697cb7019ce7bd967f99efa9d9d16

Download Submit
memory/328-206-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/328-201-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1068-236-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1068-252-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1068-242-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/1068-244-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/1164-213-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1164-218-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/1192-135-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1192-81-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1192-72-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1192-75-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1440-217-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1440-153-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1440-247-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1440-268-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1440-270-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1524-258-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1524-264-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1524-265-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1548-253-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/1548-246-0x000007FEF4490000-0x000007FEF4E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-191-0x000007FEF4490000-0x000007FEF4E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-187-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/1548-248-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/1548-185-0x000007FEF4490000-0x000007FEF4E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1668-118-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1668-125-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1668-119-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1668-234-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1812-275-0x0000000001000000-0x0000000001142000-memory.dmp

Filesize
1.3MB

Download
memory/2084-208-0x00000000005A0000-0x0000000000606000-memory.dmp

Filesize
408KB

Download
memory/2084-204-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2184-151-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/2184-89-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2184-92-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/2184-98-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2308-287-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2308-279-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/2396-63-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2396-44-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2416-13-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2416-12-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2416-90-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2416-19-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2524-129-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2524-131-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2524-127-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2524-104-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2524-107-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2524-112-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2524-113-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2524-222-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2568-223-0x000000002E000000-0x000000002E161000-memory.dmp

Filesize
1.4MB

Download
memory/2568-251-0x000000002E000000-0x000000002E161000-memory.dmp

Filesize
1.4MB

Download
memory/2568-231-0x00000000003D0000-0x0000000000436000-memory.dmp

Filesize
408KB

Download
memory/2596-61-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/2596-130-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2596-56-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/2596-55-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2800-250-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/2800-249-0x0000000000570000-0x00000000006CE000-memory.dmp

Filesize
1.4MB

Download
memory/2800-216-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/2800-211-0x0000000000570000-0x00000000006CE000-memory.dmp

Filesize
1.4MB

Download
memory/2800-220-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2808-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2808-33-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2808-105-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2808-26-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2956-37-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2956-69-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2980-137-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2980-245-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2980-145-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3056-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3056-73-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3056-6-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/3056-7-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/3056-1-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download