2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a

Analysis

max time kernel
87s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
Size

1.2MB
MD5

9c570d450016d56e5a1bdda735539075
SHA1

f369d3186cb38ad6472da7b14e814100356020d1
SHA256

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a
SHA512

b567f8b216c5bdfd312b833756c29657e49d5a890bb726d4cd37120a8757c9ecbbadc203d60070470e27810b41b7bad2ac8033c1cf960aa66a275c8cc10930e0
SSDEEP

24576:JTN9gj3Htgtozpyj4mIexbUSAL2mZ7mzAWbeIYVgOBvWi:JYHyELexbUSCfmzz9YVgY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 51 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exedllhost.exeOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exe

pid	process
476
2628	alg.exe
2844	aspnet_state.exe
2764	mscorsvw.exe
2256	mscorsvw.exe
2900	mscorsvw.exe
352	mscorsvw.exe
2792	ehRecvr.exe
2560	ehsched.exe
584	elevation_service.exe
1180	IEEtwCollector.exe
796	GROOVE.EXE
1060	maintenanceservice.exe
1916	msdtc.exe
2664	msiexec.exe
2672	dllhost.exe
2764	mscorsvw.exe
1600	OSPPSVC.EXE
2052	mscorsvw.exe
3064	mscorsvw.exe
1784	mscorsvw.exe
2388	mscorsvw.exe
1972	mscorsvw.exe
2380	mscorsvw.exe
1396	mscorsvw.exe
2072	mscorsvw.exe
2304	mscorsvw.exe
1584	mscorsvw.exe
2188	mscorsvw.exe
2992	mscorsvw.exe
2520	mscorsvw.exe
1716	mscorsvw.exe
2804	mscorsvw.exe
2104	mscorsvw.exe
2776	mscorsvw.exe
2856	mscorsvw.exe
888	mscorsvw.exe
1628	mscorsvw.exe
1996	mscorsvw.exe
2392	mscorsvw.exe
2352	mscorsvw.exe
1260	mscorsvw.exe
2152	perfhost.exe
1584	locator.exe
2708	snmptrap.exe
844	vds.exe
1284	vssvc.exe
2448	wbengine.exe
748	WmiApSrv.exe
1828	wmpnetwk.exe
668	SearchIndexer.exe

Loads dropped DLL 15 IoCs

Processes:

msiexec.exe

pid process

476
476
476
476
476
476
476
2664 msiexec.exe
476
476
476
476
476
476
760
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exealg.exeaspnet_state.exemsdtc.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5049454ce738cb9d.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeaspnet_state.exe2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe

Drops file in Windows directory 37 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exe2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exemsdtc.exedllhost.exeaspnet_state.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5079FD4B-1D2C-478A-9FBC-59794A4624A4}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5079FD4B-1D2C-478A-9FBC-59794A4624A4}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 30 IoCs

Processes:

ehRec.exeOSPPSVC.EXEehRecvr.exeGROOVE.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ehRec.exe

pid process

1652 ehRec.exe

pid	process
1652	ehRec.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exealg.exeaspnet_state.exevssvc.exewbengine.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2080	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	352	mscorsvw.exe
Token: 33	768	EhTray.exe
Token: SeIncBasePriorityPrivilege	768	EhTray.exe
Token: SeDebugPrivilege	1652	ehRec.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: 33	768	EhTray.exe
Token: SeIncBasePriorityPrivilege	768	EhTray.exe
Token: SeShutdownPrivilege	352	mscorsvw.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeSecurityPrivilege	2664	msiexec.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	352	mscorsvw.exe
Token: SeShutdownPrivilege	352	mscorsvw.exe
Token: SeDebugPrivilege	2628	alg.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	352	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2844	aspnet_state.exe
Token: SeBackupPrivilege	1284	vssvc.exe
Token: SeRestorePrivilege	1284	vssvc.exe
Token: SeAuditPrivilege	1284	vssvc.exe
Token: SeBackupPrivilege	2448	wbengine.exe
Token: SeRestorePrivilege	2448	wbengine.exe
Token: SeSecurityPrivilege	2448	wbengine.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

768 EhTray.exe
768 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

768 EhTray.exe
768 EhTray.exe

pid	process
768	EhTray.exe
768	EhTray.exe

pid	process
768	EhTray.exe
768	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 2900 wrote to memory of 2764	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2764	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2764	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2764	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2052	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2052	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2052	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2052	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 3064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 3064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 3064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 3064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1784	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1784	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1784	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1784	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2388	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2388	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2388	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2388	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1972	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1972	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1972	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1972	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2380	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2380	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2380	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2380	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1396	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1396	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1396	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1396	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2072	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2072	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2072	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2072	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2304	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2304	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2304	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2304	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1584	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1584	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1584	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1584	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2188	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2188	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2188	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2188	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2992	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2992	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2992	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2992	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2520	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2520	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2520	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2520	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1716	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1716	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1716	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1716	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2804	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2804	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2804	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2804	2900	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
"C:\Users\Admin\AppData\Local\Temp\2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2792

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b4 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 1d0 -Pipe 238 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1ec -NGENProcess 1d0 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 1d0 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d4 -NGENProcess 1d0 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 1d0 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 274 -NGENProcess 298 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 1d0 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 280 -NGENProcess 288 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a4 -NGENProcess 2b0 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
PID:2764

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:584

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1180

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:796

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2672

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1600

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:748

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:668

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
PID:1920

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
2⤵
PID:2932

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
Filesize
195KB

MD5
ead79064e73fddb3e349b81b0591f5f8

SHA1
bec33282c50572d675c2eea990acc7289b54be81

SHA256
a25cbb88c3512e53e8721a5c6f24da96339f0f3667835fa1a70e6822af3ab96e

SHA512
b8955bbb52b9cb0db2a55efa773487ff8de6ef1fc86f2b14aaa2b2df539bf80ce85c8214d9baf3cbf2aa925a3867ad861af546cc61a761652a6f756746a1dfa2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
72KB

MD5
7228ffc7a196e8f8a4bb0b49265bc9f1

SHA1
87196a3142a79620bd491bb4537db4eaf1ec5556

SHA256
f58fd73470370fcc9fbb646259faf8821f30d748766851bd5e00a8ac7d7316ab

SHA512
54103999cc8be7c0c06cd0149813280953c94c8f736a0d318d1e6a6bd40428832cd0bd38f901de62143b071d223eca75bd48556d42ccaaf0e0649a2bd8840e5b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
13KB

MD5
e3bb63dd08ff75446ff136eb667485b4

SHA1
5b3dbf050312714c2f1c8808feb5e0e5a03cebe0

SHA256
6ecb64a7523a052af91279b74bc8cb5df53fcfd05bfbba58ebcb9269ba6794c3

SHA512
9ac7da4094c394ee972dc61fb20165704ab7a90dbe7c2af1190d09b88c9e0e25602b8e31bb125aab718d3767857c0d2eee34b04b0d73157f0dc6c4e2f02cd86d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
167KB

MD5
bccee9b56eedc8aad9fea3483c65ad08

SHA1
5dbd1b9e061428cb71dce74fc3604cadc9537068

SHA256
055ff7e2e5280ce22b4a9de3ba16600792e56ffded4f85acd47354681f4c8cda

SHA512
bbec2d583019a8a6136dab9cf9022888721ca3defbb1009382a6a41e9c1cf49f0666d4ba56967c7009ebba7b26d04dcb243a6fb513bf09a0233e114ccd38fe7e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
90KB

MD5
c35eb6e975497093ec74ffc17c201c14

SHA1
dbb7674392311c0e363c62f323da754daf4136b2

SHA256
2c92c980a5be4d82d215844abbf3a652e545d34092746d65c3e4a752e0ccbc9f

SHA512
3e410d17855bde7ffbe71d23224621c9993498fe537221da300804874bac59698f8346b7fba6fcf3811947a62fd40e608c2880a3f8880fccb8df49e5ec8154e1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
13KB

MD5
5ff6ebdb0894b88c1d73f6fe896f34e6

SHA1
13a10cf37d930a891b89d3e19f4a888a8d7e9962

SHA256
f92f96d035b99f2a20ff45b3803f2fa1fa7078a0f674fb390524739faaba2335

SHA512
a3336038435f2d703db9c55241e025b2b5dd9376ee42ff87e3466ea31dac1ccba82947d5413e1313d34023daf2abe60dadcd8f1559fdc383e2b9b93bccbaa67b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
d01341e6f06714422dca5d0157a6ca4b

SHA1
315fa39c946cf62227a950fb60a0b08125270b66

SHA256
514cbcd2e5fb361a201d81f5484843a3012f813b955e354a7f446ceff74fd16f

SHA512
ebf771c62952ace269714f547a0c0365dd5cc020d534870ad12d7295187d810dd192cfbdacf4de1f00960567448a46a0286e66a69da6fad1db65ee902cdbf185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
322KB

MD5
fcf44a28824e793dd2f33d0f1d205b3e

SHA1
6bce9c0ed39b66bf3d0ec069b273e459880fd0c3

SHA256
d68fe21b8e12abd16217a8a5b941573c5e4376805c37196df2e404a3a7160351

SHA512
bc1e086a6f97dd76a1894ef10bd829522e62a0c393afc4fed2e4717a87d054e281c525ac5b790c7da345cbc8cc6f46d6aff28bf37f2fe77d65ef9b61300b213a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
284KB

MD5
42d31a47e4a23d970da4c37cd29a6a92

SHA1
9c0ae521c480d5c8a76e4b00eb09d84ee71ef4a9

SHA256
3599f28a92926b6e5e653efb8e36bbec2cfce85b84e745deea8317ceaac16714

SHA512
470ba5e71d17970c1b546e3df17867ce5cc2de130c9952e7d61cc05315168bcb97d81fbdb2bf56fa63012367d9968046d63ef8ee95d67cd2dd4e2314bb2b3ba8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
370KB

MD5
e9a652ee32d1fe0ce1baa3de0ebe2c50

SHA1
9266ef0585da810d1bce461c7e30414271c75db1

SHA256
731ff509521562f08cdc0e678f5bd30235e84db69de9fbdc2b728dd6636a5147

SHA512
fb315e33b3a54497f57e5e148a198fd4626db5ba581b32e74531917744fc5a53f2ea7b38cb413130d99987c63f0cb9145fd41b7b53eec0ca6d3130b48931ba99

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
120KB

MD5
98711ca65ac397cc10c50c3a15fffa90

SHA1
4c511201a83325e4bd765d015b42661142416335

SHA256
ef4bab8bf4ae45b943adb0c4d9c2ea7fd274270463ff8dd76840e8b93fe0d407

SHA512
f6c69bb83a889c9a2744544fcbd1cf3baf4dfc2414d411bb67de574137ccbfb30dc4af3cd7b66eb1c0fa91f26df18ce71c2c781ed7b39ab3d8d483cd6ef31ed6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
84KB

MD5
0cdadb31c08250029fccfe7d208c820e

SHA1
867ed5bf80790e39b1895e10386b3fec3ea9bb81

SHA256
b88a9ce1fec39410d6458a86a984aeb8676a8430d6b1cc4fde556537070aa36e

SHA512
9f7e4cea3387f662a0c113da6a42cefbadda98d061479329bed8e527ff3ffe011e781c391c5378264dba17c9f6b328638ee854e10090dba0e3e346c9f4432ca0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
600KB

MD5
71f2b140095015b32d8953f80307cda1

SHA1
d2b3f457bf925c1f7bc48a5a239515dd1c34538e

SHA256
d8e345943673e2c1737a8566aa2617d172e5afd088dea73b8c4b7f24ca23285b

SHA512
69b97d76da5a85d0fe1380a7f000c6d62d499ab23e3e1817277a70642c5c0e2d7f46b70bef920cde5b073b35317c33710c1e900a14083a1f7c0b20e0a3ca7778

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
212KB

MD5
2f4582e3c40f6518cf0e7dce699f81c9

SHA1
4de09ec02b650b218c9aad31fc81b188f2ddf62e

SHA256
bb0d1d8ba42944938e3499144d1849d0c27c46b4706e8f7fedf73b0978aa93ba

SHA512
3d1f027fda26c303f0a15489625bbbf4d8a6df96d2d1d4e3ece852360df66ae76598d9ced1715c9abc33dd74d4ada7a4ca3f2bda454782b3820dde07a236f0ca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
311KB

MD5
104a6f4488abe10db8fda0eb4622e9e5

SHA1
0f7cfe9f73499c7864a940020a9ecced86762fdb

SHA256
72955d6861bb991d6113726a15884794f27fd70b0ca23d78f60d9991fc401099

SHA512
1fe3038e4892c4d2149e7453a7443106f6143e16708ffe029d573f061b2a14bf30e0e64413516b9440ac4c3b17144f5a15774e2951d282a0c424b698cb6cebf7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
280KB

MD5
8baedf51e9f9a98b6b349b16d754c041

SHA1
93d45443b38ee0c84dd771a3b117018467a934b6

SHA256
bd337ce62a285fbf8fac47d9939be67d6a819edf2b302bbb64f1a09710c1449e

SHA512
794c277d57698780ac29b8dd69afcb900acc05a0203775fb2fb527e54fa28f3a6666784540f2e458609ad775bdc4cd6228e367d9f27cdf824bc86e5cffbfc292

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
122KB

MD5
3c1bc4564f77d4b24f616e84ac4dd758

SHA1
a6aa5e205f2850d058e3f591b3a12464a8cb7e62

SHA256
0295da34082a89fbfafe5d8155d744e92602d64b568ba6d30048125ea39076e7

SHA512
22d5b53311aa5d3906906a1cdd41418225c28b3ef8396b27eeb60441e755abf8b744dfe1d7a2a169ccd2722fb137c51946f9774a85418d15da2e0680d2b33597

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
157KB

MD5
f0cc06632b77db443f1d10e0e48a5e1f

SHA1
81cbb8f58b3557a948bc39f51478cca7a416b7b0

SHA256
7a472c89436aa62f0147a01fe29246fc0aac916553e247e346ec199fc1bdb5a1

SHA512
dc9e64fe0ddc0ac80dece485effa49615d6ccf72977dbf2497eea5e0f35ecb9a8567fd5b6fb4094a45b7a297c10ecdfabbbe4e5052334e11590498e6b4f06ab1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
88KB

MD5
f608ece88444659349ad981a029c31aa

SHA1
130f66b9aca3e33b1f901dc46ce1b8004491b294

SHA256
4a2eeff1ad5f49b3dd798e3771fa3bad97544cfa4ef6ff2eb7055cec31d04533

SHA512
5f64e0941a9aca6da30712193e3f31e387ef7f9f6ebb111b77bb6450e0304ee6b2878ca58dd9b5a9073613bf53cf254d9e9edec804df27faad72be9188a0c730

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
63KB

MD5
51ac631d296d8064e7dc63a61fd888d3

SHA1
059830b2cb6b585ccee2e432bc3b1b79686a4a40

SHA256
7a74e22a070284ec6fffa8b54403b5962ac093016ac726a56004d0f4ed833762

SHA512
bdcb946ea074914d912bd76b5f708e37bfc2cdc557c7674a447ed4e2bcd86a0e17d357a17896f1a1760520f795fa8a8ad82cc5d172b3b5f527817aa48d8c83e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
35KB

MD5
edebcc0ef7cdd81b530e0e9cc61e0959

SHA1
07eb170da49a7b2aac182b209917fe39ad815237

SHA256
0b813ead9f569cedacde092e06dc78001b2c364076316829a525b03f5d64ee1c

SHA512
8abaef76bdd97b3b3d80108940c2b2c030bd5e04a025db196cdcbd6a804acf9a1f54fbf405b38007a6568cecdee6dd0f8352dfdc7012c67c0aa440a6d8c5df0d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
143KB

MD5
38eac42c180c7f5ae3a06941127f4c37

SHA1
a0b23baefead21007ba7f7e92a9a9556df4bc0e7

SHA256
c6381daf895a5e8c17e7500d8e41b6c5f2d55753ac0b44428cbd63227381789c

SHA512
818fc6d97dc30242810d028cc3bbbce9e69c543db81d9e1ec0e7d3546d76ac8222c054ce78e5a3eb55dadce2912c4cd120ab8d6b16930ef53a685d463e846ec6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
136KB

MD5
edd7266ef565cae5be58db1f3c89cd37

SHA1
258c7df27c2d548c1455f09587eb36e978826f74

SHA256
9f2bfd7bb751455eb93b1a150b6c4744049535da3122d45d0182b18942f21c6a

SHA512
36090ff241831fbf3c26605736c992b2a5700cd37425851640cd95f7e619f32d9b96d0426e02bc83795314a2d833f002ef5582b6b85f79acb0b32868ad60bd1f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
349KB

MD5
d263dbec16b32251b0166a4184a0cdc6

SHA1
421bf75564c812fc1023a7ef105be8147654864a

SHA256
43600b18c0edb5e61263e5dbeb7983ee135473055b549f8cbd5508da6a2e66bc

SHA512
b3e293e1f6b271c540bb87454884b2b95705d9daad562e5c65d0305ba295781ba7696330fcf87773ea68683b354a66f8655b845ec4557540888430dbe8d7badb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
268KB

MD5
fc2665a64fa4a542c5afa98e12bec5b0

SHA1
3ec762e5ca28e7167f03c04e78b1a891dd743e1c

SHA256
4ea94d6bae76c1573e416e8ef0313bf120f0f2553ba4690f08e04eff2a925211

SHA512
2a7ccf8ca8356ad37a2be0f2ae3302b5056687c530ac26173e841b97f1aebdc55480be5e837e25935e3d43bbff3793636e47ff62407a3f74a79a1dfe915618e2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
153KB

MD5
82dbaa3860b15fe3d9faf83ba48172af

SHA1
fa72fe96f7503e954076ab46572230c3ee60d5e8

SHA256
62590e7e6a872ea97a2b25a2d2d9a6e3f79e1bdfd232d2c678c641c86dce8846

SHA512
a10cc624c0c70541ed8733b836873a1201a67970b74195247c1b732749e7129d11236949f71417a71cac8d1f12f85d6634bd13a099a50bb0eb142642e3ceea4a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
102KB

MD5
8331ed58886274ffe9e52179cdc2a8d9

SHA1
6a6534057b5d44ab23f3d73481eac986fcfd8528

SHA256
e8517ee0ed1da6a97f67c4064f99619cc046161c704167e71346796e42df39d5

SHA512
ca6af15fb4feb967a38fe5e29489b10b80f53eaf2a0659195c3ed86f592e3d4641053d73a155a43285bd3eed7501f409b1cfbc929b1dcb48614c1ca927dc308c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
617KB

MD5
c1d3dc9862e19c4bd170d3bcc48b3824

SHA1
bc570452f96340a508b5e167aee8c482a752ee26

SHA256
c378779973eeb1de903bc1d960669a054e767ce528c49c7866ab5f2329642329

SHA512
567a97ecdf6f45ea8af29c701366441ba51ecc059f451ce9702d316af374cb588631fd10acfa27b172abe193d080f9d86df9cbff96eec1e5207ecc5bd0780c6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
327KB

MD5
3973160d3c96d05d79a37cdf0368c19c

SHA1
175df7a14b44f7b4da22c629f361c4564988b32b

SHA256
b5aca0c7893dfb77e0771a18e188291489b40080af209ff0f8ac14326cffc1ba

SHA512
5cacf0a82062f8452f0e22e486b6397dd1f15c488c9cc77c1a5cc5580e4cf778ed39c7c7d36ee960db46cb8df4a020f8c68271e91eb893a4c27c36eb0a92e0e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
77KB

MD5
9c0cdedceda7a5040061cdc34ccdd467

SHA1
5bd1b5c799c70d9d9589e95bbe1e925964a66241

SHA256
ba8d9a38cd4c84e87bc74a549fb95148535c91a4b5021b4abc93bdfdf8bc37a0

SHA512
7a21ae135291e9c62e1800c088ac753b7c35da772317a43e86186c2b8b36e83dd1cd71be130477bbfd72dff40906002b8e5ddc969b034c755abfb3e6aa336d37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
472KB

MD5
3a66328de22ce7cc34587786a5e3f3b0

SHA1
965e33bbd9db92df26fc8c0b644c84f4377c9562

SHA256
0acdb6ba36c69f5d32d61b3b361cbe54a509bb3957334a6872373fb6acfa02fe

SHA512
55687a9675cce28d3ce98567a012606c9aea58cc82ba5247023a2dcf84f971946d65640ea02ea365cfd9e011413e2878e34691f16165fbd9714eded116f5d858

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
576KB

MD5
eb2b5e10f286c51f79d6c7eafef05a1a

SHA1
6234a1910980d9f4f49887e37ef919cf569ba617

SHA256
3d879e02bc0daa8f1e59c684cb28ac35ad1de7d8b4ca6c2645e6283a80aaca90

SHA512
5e52a8c0f2509f8b220997bd22d4bd79fbf87a4a5ada7ff395d412de73fc2a1cf33bf69fd350c2015684fe94b77a976f1697c2ff77113b82315c7f8b9ee5fc58

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
45KB

MD5
55c335055461d63da47bf1a980ecdc5c

SHA1
284f1c34ef76601b9910c9dc4531ff7aa46c5367

SHA256
7634abcdeeddb91a84ee5b97aa02e8b8373687584762411777653814c87ee394

SHA512
a8e5cc954ec3d588520908fa61e653c1e00de374de8a8e609eb560e5fda2c5cac2cb7224f03249fed77a429946f2394e8681178fec15ffbfd770700bd117f808

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
285KB

MD5
a3d807c83e09221366e30eba24fcd2dd

SHA1
e8fdd6ef945b0bfb2caf120ebfff30b05e6acab0

SHA256
a60ab40d3010003fb6179e83ea69780982525d91d3a7e1c189c8abe67f37d608

SHA512
7751852f8487255bddd4014a6f09626f57d5be58232ac9e0d8f689e5e0c87163d8e67f93100135d0e775e660040814a605bd60bcc4bb5c63f71fb814e6f32475

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
210KB

MD5
d2d730ff7a6b62d439e9abb7edbdd365

SHA1
a0569ab40a6f3301466b5a316bf86d694755488e

SHA256
a0d93eaf091ec60f6b80a6865231f2489408e0bfbd5f3f145816cf33c5e0131a

SHA512
a76c645673d3c4271d2bdca22a7c1c8a6f7fc5badee54654ed3af0d80614a58064623d40ca6a6460741d1caa5f1d3fa19b7e478fd40a11f56a93be472bc4a7bd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
256KB

MD5
420a867f6d317487fbf51023e7d9eaca

SHA1
30a92f8beb9322601ed0acfb96ad78321043faee

SHA256
a5f43229ce426616f531e1e48863a1af8b2838966a3e6ad731fb026fd38eee04

SHA512
52fc46b4558ee39dc0c6dd99931e996e161dd8db1609078790e87fc0abfc2445833dc3b82bdf5c7d9f8057f3e6ab880696a8316030ddba07e5894f47d24ffb98

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
109KB

MD5
92e5ee396c1b63d96e1c45b0a045ce38

SHA1
96a9241ba12080c1ecc6483e5b68551516c3ae00

SHA256
72da6755de4fe735af3dae77d8c2c6eb89a1c0022d88618e7b1390ae5fd5c559

SHA512
185a4f5933b049346df878bf73cbd95ca49839a24fab8b6ada1bdec93b5c08f9942be1d74e2f4f9ca31b78a529b9ced31ae50eb743f76f025f029ad30c0798c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
96KB

MD5
79c6719919ad242a33114dd194ca6509

SHA1
89e819614faa3da608d043197a1e7724abd69b09

SHA256
748251e6ce23790268b2c80c17f1d0bde75fb9958e3efeaf35c651af09e16898

SHA512
57087d6b653b41299a9baaab6c2c52c1789e06561474fe2ddb76de3fb3d9ebcb4c9bb7af654078a4f6e8b21755f8245e2ba56fe7ffea1e5230c0a121cef628c5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
5987f0254466c0636fd2bb8bddee91a2

SHA1
037256f333e1347c2a95d515a0e61fbf67140831

SHA256
657afc23e10490616cd64c9e951eaa9ec68b32c4c2ced1a340c4eae2a2d49504

SHA512
3fe50836517b1f1452a3660d068c5d50725a50f2748ff3ecf59757f49af6206bbc2979cfbbae1c73b015953bf93410d1adc08f900f4ef13b6e5b451d07e5e730

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
176KB

MD5
bb4621286e6f9c421da5d076a4faba41

SHA1
66951e0f8708a6e9aa0e0d98b9aa07ac8167511a

SHA256
e37506e5c834a135caa98c3c5dbc4bcef3b0f91435e8811975b6b52671f10be9

SHA512
b3b9fc36fd93116dbf2182ec995ab11e79dd990fb0a9f3c5ea24ff030ec46ac03fa6c9cd70b0e07619833e110392a74e26af5f2489aff077f5c52486c252436a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
128KB

MD5
3b917f8cdbab9ac3e4ac1aa65343acff

SHA1
40b0a0e97417f8fb36abf2eab2cdbfb153a22bf6

SHA256
904e8544beb68062b5dc01ebc71b85b7c724daa79cc96459da2e39b28dd93820

SHA512
844e3a901e1f30430dc1f645ce91cf9f9fdfcd22bf18a9117e46154f21d3ff448e0fdcbdf62a9ac168948808d9a6ae8d9f46b9f4ab2d3ff34528c5554d9e1180

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
b43b228b36371862bf9f23e52bfc288c

SHA1
31839f8d25e2ad938fc258b71b31854cd2885a84

SHA256
7f45d98dae7e2d5f239b1c17363dbb51555b544f467cf8e5ef2c1e9ed44f0311

SHA512
ba22bc15177f98a2f491f7b13f25dd251bdc2fd484709b95cc4d1c449602e38bbc502920cc1339dc2698ced299ca235f04de11f1e67df0c096efb7edc6223ef8

Download Submit
C:\Windows\System32\alg.exe
Filesize
161KB

MD5
e414224448a46accdd3e68a8f4ee64d9

SHA1
b3fc2d9814b9c992b6c02255ba5e207197ff4e9c

SHA256
74408cd412f0589758be2bbd4efbff3608aae9700e6f3cda8db1d53a33503858

SHA512
ff391a438b868f2732e0b78aa4c8d83cea09b2212ec6c50a2d9e8a9ac51906f36eefa99ec25e0a476c25e913ffa756ba1c8d003725ba4d23296ff7870bce776c

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
263KB

MD5
477d8e169db45a24edd83b2b6ad77824

SHA1
30e89e5b8c13f5634dd49dcb5d0bb09cac8abc23

SHA256
70c892318becc45dc94a017d8c87a881647adbb20be44abe58d0cfeff2e6a8e3

SHA512
5d297dd9eef51d2947efd5e625e03fffc1a70bc375e977fdc9760bbb4cf0ef376b9151a1b3fb2110536742faa177ea6fa7d954aebc583d189eec4d0e6a04090b

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
180KB

MD5
87408c7c5d5a327ca2f016448c94f8e5

SHA1
a642e9505ad37fe5e8af1c3e00834f28a3489256

SHA256
3caf387b1c304b47302335a472d4d14d46ee356aeda74089dbbdc9588f901c75

SHA512
4d712b0ac6bc8fac5899c1884d2578aad327d7fc256c955fa84aaaf62e6e2850330c933ea0656bfccd24c28cc61186a6e41a186c2a3207e9cbf46ea9c5c34583

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
158KB

MD5
a459a9f4ae49d15c547679d56e777f2d

SHA1
f191128ca1ae5ece4f55cc4d231f504ffc538392

SHA256
a805f5014951aa4c3b4fb104c8a873c7da492ef1092e1a9bb0035bb89ec834df

SHA512
dd71c0bb788efb5d7ec40b0b012be5a7c2d1acc30cd86829613266d320ab6999d4f7d07e9c894e2377ef52b9d11ca7cd45229af8bf4f0f60e2be2f5d40848cba

Download Submit
C:\Windows\System32\msiexec.exe
Filesize
58KB

MD5
4e0e6269ec414863112e631e8d794273

SHA1
e6b8d77d437208efaf767398a86a247a701bfe5e

SHA256
73d17381b8c2898c76b040906019e54844b65a48b62f3b74fa85d0112ffe5d1a

SHA512
9acd1d2f8a3325a45238e1def853115988107ba83fae480b327c6bde6ddd8a632e3ffa0992164a5ac8ee35bad1fd7dcf2ffa0bf4fa3ccd591073f72f6bc17b96

Download Submit
C:\Windows\ehome\ehRecvr.exe
Filesize
1.2MB

MD5
beebdb966627a658e7299489a3442916

SHA1
0b4de9573a3da3af3b4a2bd488ce7686bbb2f9db

SHA256
3930f5fb5639e7a57961436da56c98a81671f78c8654982c4a0cab9250683e4e

SHA512
5d5f17f623fbd01d2ceb50176d6c32cec5b98f4cae11bf2d10ea3fe9685f6206f7c246da198904a67369908713b8b7b76bbeebc3fc1074112952b56729c2d7f9

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
79KB

MD5
15164aa40df91b45807a4b17638e8611

SHA1
002a1895c3cc23c12aac77187453e9438e253114

SHA256
07140fc8775dc6f4fb73b5351550337888a80cd6475a899e49c7c593649b87cb

SHA512
d85b0311bee90985d8e6bff6da239a18bbf193596e0c10838a677f7a275f07f0a49864dac31b82fec173eefd6c79ba3c11bc410d78de7528a3381358b839956f

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
138KB

MD5
58c1e34b577e14d26b268258a6232cc6

SHA1
30958499186f4820e586bea2502d28ddacf1b699

SHA256
3678f689825f2d6e895a6325c84a4e47220083a5f972664c67762cee50d4dbc4

SHA512
54b7c2982d8c2ec0871f879d16bae50445947ae59c0278c2c0acf4062e5ce1a8294c99986bedf11e8e9db79e2e53797159fde4ce8f1ca6a3d2d961b55fc00f2f

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
b207305b2d103e87d27c0b343e5203ba

SHA1
2e0841aa2fe1c0a73e1d45525d8fe89cfb098983

SHA256
468a3ca3928f40941899298f64b4b3b30f61366326c84d0fb16412d39662dd5d

SHA512
206d9eb49f85e57ade9db90c4855f432776969906bbfa1568d0aa0cbe621cfd8829e519efb8ae450ff8ac9a9503a262081334dc4b6aec7bbea01c8aef8764ed2

Download Submit
C:\Windows\system32\IEEtwCollector.exe
Filesize
674KB

MD5
46d9f066879b20b9677663a1d9dfb6fa

SHA1
600ed5accf5c66f81bd769a32f8b4e76a192f2b6

SHA256
820b3cbe70c07467ca97524731532850a08f5ed9068891c586b616b9693a0061

SHA512
81aab219e6fad336da370201710bd15308e877918429db8c26f8b9e0da012606d6fa4cc5529f9d8936734d1bb2c187607c4cfc174181cd05ea40e34ecca19088

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
259KB

MD5
979beb8cd909cd9dd4edb8d11a54b92e

SHA1
c784d43ce6a5bf502d28c0a73086deb2a763c2f0

SHA256
d90763954a7136e39aa750e500e5803fb1f158ae9af6f338d7b56a490fed5318

SHA512
ca40657c246ff62ca8d1e61332354fb46b6823467f904b0410206d987cf85a9b0bb2993f61fbfbd87ac26e67346a2a44e1ab007a9cc8026b0798ff35bcc07a84

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
52KB

MD5
81e53282450871198d871a0d3fb4e1fa

SHA1
67909690a08b45b6569d25fc1ca327aef41a2465

SHA256
4a21a849d1416209d79b801b4fb6cee579b569b76a186059dd413d82e8d6a121

SHA512
bc5c93f0f198c876d661a183e091bca1bcf628b176eb78730e072abb4ef44cde5f2a54f18f2c5ac7aeefbe5f8e3ce6ef53c8f3f165c5415c846118f0dcff760d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
256KB

MD5
5f13a3c9cc396f7b66358373e970182c

SHA1
3cbc66ddf1565242de4f0981a62403c229bbb383

SHA256
ac8bb1bbb34f702a47a7b04c2136c571c07098c7a335250b18746c14237bb670

SHA512
be16df09ed9c286f4c70d300808cea7ad60777c1233cdc8c9bc77e1335368fa9e006ed202d2c5a75941bd238a52b8c245644e44ab13d2969ee953ee9b92933c0

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
194KB

MD5
de6842b2c08a42cb903486646112b7a2

SHA1
c48f09d49ab02afce110685ba0680627e51aeb10

SHA256
016babea81623fae45b284d848a0f7532773f1b0b3900b78b2af67f7aa6a9669

SHA512
227429201ab874c89a8fb749b20648b8d74843869a2b117b5267532477764131d9ea28e9e06ca46d52627bd6bd366526cb0af689495c70b027668ab057ee1155

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
cea4c4c069d28db4cfc28cc1888f9a38

SHA1
1498591dacdd0091f482f14ef77278a92e5af2ac

SHA256
bd53e10e6165b0beab8e0102b5e3174f82214363d78d0ff294c93680995bcf74

SHA512
5352e44e4c1754cb9c3420d9c7eae5811b7843d71ef386fc49b72b688ead081874129147b895a64614e1133ee3a7d1149da4fd8738499aa7ce646b106abbba51

Download Submit
\Windows\System32\alg.exe
Filesize
152KB

MD5
ff3b8802a36fc12af6b9e176e17f90f8

SHA1
999da414ecf7c2ab21bb0e058c201c0a03073038

SHA256
67c353ab384c03fe691f752f3883a177af68ba2e8a8a223cad1eeaeb5f21808e

SHA512
ff05d441bcf923aceb17cc7c9a52c49863cc3e916bc28a51defe9d5a3c89f977ab53882d7e08b64941a929dbb4144352e68ef73d542cad96c173c6df899455e9

Download Submit
\Windows\System32\dllhost.exe
Filesize
172KB

MD5
f0b44e392574176c1d3770cb6350be91

SHA1
a59f4a5db47c4c3c0d94ef96bbc5db7f9eca39a9

SHA256
47b24735627a2e1397224c8bda4c42bb5fc62748e0648e91e1402a3c4dc10a63

SHA512
985ab895abd8e8c53b4dae57233f3a647fc987809f8234847142d8e16a36cb185c5678668bfa4227f7427a703f2aaa565a3c875b7af4f7413f42b5ac033523bf

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
383KB

MD5
250e8367fbab07b1b1666935c04f31ef

SHA1
48b4f49fddf3a1f5e15362b1f87a566e71fe1f63

SHA256
57856664ab27ce24e4237d3e4b49bc6bf433fab86a28b9cdfd73809656ebacd8

SHA512
1dacd5d0a7884f78ff9a316cf83978a527c616c963cd5355673041aaca2ed1d0b61cb4bcb81b850f834a94f32e6e73e1753ab23feb3e8ffa15c66bfe14354bd2

Download Submit
\Windows\System32\msdtc.exe
Filesize
173KB

MD5
9e7f74da13caed2c10d4cd121df672c5

SHA1
bf5da6bc1f6e8513f66b3d05bad2eb71edbb3b6f

SHA256
d1893333a90d1291e74e9c11d84313b83317adce99621bd35ce4ce9d7d884ca8

SHA512
a9112641e26908fcc74e4c4081b4bdfc438db02ba9bdbecb17bf7af807f31d4e31a87ea857d25a5d000b29ceb1b100e1a864ecf33ac2a15a2384656974ac486f

Download Submit
\Windows\System32\msiexec.exe
Filesize
126KB

MD5
35dc8c9b2a33c656e7a5b7c99138bc61

SHA1
109a87541d6bbb4a5f5e72a2a324a2c9175c5f7f

SHA256
c32c0170f6aabec54fe6d7e87f4b4654a80590d77812f089645cdd73655047b7

SHA512
0949f72b2b21b1a1efb6f6791070e65217a72ae9e0e950f99cd97d7ae8287a833381ce3990322c8e8475cb3d1277cc74f71c8e29c32f3b8f3d12be209e6acacd

Download Submit
\Windows\System32\msiexec.exe
Filesize
118KB

MD5
2b8bb6fc241cb807d5669651e11d035b

SHA1
78c4249f5d6b01d8a42bea5ae8d035fe6e8d6008

SHA256
8b832da097ef62bbce3b0ecd774bcd47b911221a83e1fd1656f25029c5c9dc39

SHA512
a24cab97c1fc1374cf37c66b2a804fddd6909e7536311092af52dcfceefdd7b3a84631613dd968fe2c0e29281782824334a08477320830128909a5005f35a291

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
259KB

MD5
f9bfb6cfbd5d9b27c99c8ab36b1a2cb9

SHA1
c2832bb79c2aabfd7c74145a2de271dbdbe6aab5

SHA256
614626a9108720e72371ea01d3ba3e86145ab90e61f1177713982f6508dd0afd

SHA512
006a0f172067a18fb50563616634a5fedaf31263f3c5bcada70dd79156d935b61ef233cf3e4840ade017b788e1fe4ef306506be59c7b33e4519ea9726eee5583

Download Submit
\Windows\ehome\ehsched.exe
Filesize
172KB

MD5
76b33ba0c2c467e04366ea49c447bdca

SHA1
f2ec57b79cc58e3329b81c28b75f6822043633c7

SHA256
49a84cb2d7445467a8aa06b9443a10c1e254e037d6d9b6503c91a46f272f0e52

SHA512
d671bbac708c97edda13d894a75957886b09d3f211b9183f97583db4c448df7e33155b7788c20c61ff4b595217701a7b288c93f3996cfc24db99cf94b597c144

Download Submit
memory/352-189-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/352-91-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/352-96-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/584-148-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/584-140-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/584-244-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/796-184-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/796-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1060-191-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1060-209-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1060-187-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1060-210-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1180-179-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1180-190-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1600-270-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1600-280-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1600-279-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1600-442-0x0000000074148000-0x000000007415D000-memory.dmp

Filesize
84KB

Download
memory/1652-276-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/1652-273-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/1652-173-0x000007FEF48D0000-0x000007FEF526D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-175-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/1652-290-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/1652-177-0x000007FEF48D0000-0x000007FEF526D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-185-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/1652-260-0x000007FEF48D0000-0x000007FEF526D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-205-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/1916-283-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1916-196-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2052-448-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2052-452-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/2052-461-0x0000000072F40000-0x000000007362E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-6-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2080-232-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2080-0-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2080-1-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2080-70-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2256-54-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2256-53-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2256-135-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2256-60-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2560-220-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2560-122-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2560-129-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2628-15-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2628-89-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2628-19-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2628-12-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2664-441-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2664-445-0x0000000000320000-0x00000000003D2000-memory.dmp

Filesize
712KB

Download
memory/2664-218-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2664-222-0x0000000000320000-0x00000000003D2000-memory.dmp

Filesize
712KB

Download
memory/2664-227-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2672-248-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2672-237-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2672-460-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2764-277-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2764-267-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2764-458-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2764-37-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2764-459-0x0000000072F40000-0x000000007362E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-43-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2764-36-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2764-440-0x0000000072F40000-0x000000007362E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-87-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2792-107-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2792-203-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2792-136-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2792-110-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2792-115-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2844-26-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2844-32-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2844-25-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2844-108-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2900-146-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2900-77-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2900-72-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2900-71-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download