4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
Size

1.8MB
MD5

e323c4bc84ba905ae9c12c6c8f43c494
SHA1

1033237510e80d426fd6705ece4f4efa89df7166
SHA256

4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8
SHA512

a5395c9080a98ac8b8202c27da895c662f01efaaeca1d7492653bd36fba05367bec781c1352d2d9f5b87284ffb311306142eb9f62ba5246dd7102f01a0055f48
SSDEEP

49152:+x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAq/snji6attJM:+vbjVkjjCAzJzEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
3064	alg.exe
2108	aspnet_state.exe
1644	mscorsvw.exe
2352	mscorsvw.exe
1360	mscorsvw.exe
1376	mscorsvw.exe
2080	ehRecvr.exe
2116	mscorsvw.exe
2068	elevation_service.exe
2420	IEEtwCollector.exe
1724	GROOVE.EXE
1984	maintenanceservice.exe
2192	msdtc.exe
2624	msiexec.exe
2844	OSE.EXE
1660	OSPPSVC.EXE
2696	perfhost.exe
2944	locator.exe
336	snmptrap.exe
1080	vds.exe
280	vssvc.exe
2672	wbengine.exe
2632	WmiApSrv.exe
1536	wmpnetwk.exe
1632	mscorsvw.exe
2808	mscorsvw.exe
2388	mscorsvw.exe
2212	mscorsvw.exe
1744	mscorsvw.exe
2932	mscorsvw.exe
1620	mscorsvw.exe
1896	dllhost.exe
2684	mscorsvw.exe
564	mscorsvw.exe
2564	mscorsvw.exe
2220	mscorsvw.exe
3016	mscorsvw.exe
1240	mscorsvw.exe
2832	mscorsvw.exe
1860	mscorsvw.exe
2116	mscorsvw.exe
2564	mscorsvw.exe
2040	mscorsvw.exe
1732	mscorsvw.exe
2512	mscorsvw.exe
3024	mscorsvw.exe
584	mscorsvw.exe
2332	mscorsvw.exe
452	mscorsvw.exe
852	mscorsvw.exe
2640	mscorsvw.exe
2476	mscorsvw.exe
2764	mscorsvw.exe
3036	mscorsvw.exe
2832	mscorsvw.exe
548	mscorsvw.exe
1676	mscorsvw.exe
1336	mscorsvw.exe
1856	mscorsvw.exe
992	mscorsvw.exe
1876	mscorsvw.exe
2756	mscorsvw.exe
1540	mscorsvw.exe

Loads dropped DLL 46 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2624	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2832	mscorsvw.exe
2832	mscorsvw.exe
1676	mscorsvw.exe
1676	mscorsvw.exe
1856	mscorsvw.exe
1856	mscorsvw.exe
1876	mscorsvw.exe
1876	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
2124	mscorsvw.exe
2124	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1160	mscorsvw.exe
1160	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
3032	mscorsvw.exe
3032	mscorsvw.exe
1876	mscorsvw.exe
1876	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
1244	mscorsvw.exe
1244	mscorsvw.exe
2628	mscorsvw.exe
2628	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\76fe5ee4323b6587.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\locator.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\System32\vds.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\GoogleUpdateOnDemand.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\GoogleUpdateComRegisterShell64.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_hi.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_gu.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_ro.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_sw.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_vi.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_de.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_nl.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1187FFC4-7B4C-4060-83CA-88C53EC9AD16}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_da.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\goopdateres_ur.dll	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM770.tmp\GoogleCrashHandler64.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DB5.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1BF9.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2349.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3CA3.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP193B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{413417CB-AEE0-4020-80BF-BA60D9043277}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1144	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2928	4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: 33	852	mscorsvw.exe
Token: SeIncBasePriorityPrivilege	852	mscorsvw.exe
Token: SeDebugPrivilege	1144	ehRec.exe
Token: 33	852	mscorsvw.exe
Token: SeIncBasePriorityPrivilege	852	mscorsvw.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeSecurityPrivilege	2624	msiexec.exe
Token: SeBackupPrivilege	280	vssvc.exe
Token: SeRestorePrivilege	280	vssvc.exe
Token: SeAuditPrivilege	280	vssvc.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeBackupPrivilege	2672	wbengine.exe
Token: SeRestorePrivilege	2672	wbengine.exe
Token: SeSecurityPrivilege	2672	wbengine.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeDebugPrivilege	3064	alg.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeDebugPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1360	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
852	mscorsvw.exe
852	mscorsvw.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
852	mscorsvw.exe
852	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1632	1360	mscorsvw.exe	51
PID 1360 wrote to memory of 1632	1360	mscorsvw.exe	51
PID 1360 wrote to memory of 1632	1360	mscorsvw.exe	51
PID 1360 wrote to memory of 1632	1360	mscorsvw.exe	51
PID 1360 wrote to memory of 2808	1360	mscorsvw.exe	54
PID 1360 wrote to memory of 2808	1360	mscorsvw.exe	54
PID 1360 wrote to memory of 2808	1360	mscorsvw.exe	54
PID 1360 wrote to memory of 2808	1360	mscorsvw.exe	54
PID 1360 wrote to memory of 2388	1360	mscorsvw.exe	57
PID 1360 wrote to memory of 2388	1360	mscorsvw.exe	57
PID 1360 wrote to memory of 2388	1360	mscorsvw.exe	57
PID 1360 wrote to memory of 2388	1360	mscorsvw.exe	57
PID 1360 wrote to memory of 2212	1360	mscorsvw.exe	58
PID 1360 wrote to memory of 2212	1360	mscorsvw.exe	58
PID 1360 wrote to memory of 2212	1360	mscorsvw.exe	58
PID 1360 wrote to memory of 2212	1360	mscorsvw.exe	58
PID 1360 wrote to memory of 1744	1360	mscorsvw.exe	59
PID 1360 wrote to memory of 1744	1360	mscorsvw.exe	59
PID 1360 wrote to memory of 1744	1360	mscorsvw.exe	59
PID 1360 wrote to memory of 1744	1360	mscorsvw.exe	59
PID 1360 wrote to memory of 2932	1360	mscorsvw.exe	60
PID 1360 wrote to memory of 2932	1360	mscorsvw.exe	60
PID 1360 wrote to memory of 2932	1360	mscorsvw.exe	60
PID 1360 wrote to memory of 2932	1360	mscorsvw.exe	60
PID 1360 wrote to memory of 1620	1360	mscorsvw.exe	61
PID 1360 wrote to memory of 1620	1360	mscorsvw.exe	61
PID 1360 wrote to memory of 1620	1360	mscorsvw.exe	61
PID 1360 wrote to memory of 1620	1360	mscorsvw.exe	61
PID 1360 wrote to memory of 2684	1360	mscorsvw.exe	63
PID 1360 wrote to memory of 2684	1360	mscorsvw.exe	63
PID 1360 wrote to memory of 2684	1360	mscorsvw.exe	63
PID 1360 wrote to memory of 2684	1360	mscorsvw.exe	63
PID 1360 wrote to memory of 564	1360	mscorsvw.exe	64
PID 1360 wrote to memory of 564	1360	mscorsvw.exe	64
PID 1360 wrote to memory of 564	1360	mscorsvw.exe	64
PID 1360 wrote to memory of 564	1360	mscorsvw.exe	64
PID 1360 wrote to memory of 2564	1360	mscorsvw.exe	73
PID 1360 wrote to memory of 2564	1360	mscorsvw.exe	73
PID 1360 wrote to memory of 2564	1360	mscorsvw.exe	73
PID 1360 wrote to memory of 2564	1360	mscorsvw.exe	73
PID 1360 wrote to memory of 2220	1360	mscorsvw.exe	66
PID 1360 wrote to memory of 2220	1360	mscorsvw.exe	66
PID 1360 wrote to memory of 2220	1360	mscorsvw.exe	66
PID 1360 wrote to memory of 2220	1360	mscorsvw.exe	66
PID 1360 wrote to memory of 3016	1360	mscorsvw.exe	68
PID 1360 wrote to memory of 3016	1360	mscorsvw.exe	68
PID 1360 wrote to memory of 3016	1360	mscorsvw.exe	68
PID 1360 wrote to memory of 3016	1360	mscorsvw.exe	68
PID 1360 wrote to memory of 1240	1360	mscorsvw.exe	69
PID 1360 wrote to memory of 1240	1360	mscorsvw.exe	69
PID 1360 wrote to memory of 1240	1360	mscorsvw.exe	69
PID 1360 wrote to memory of 1240	1360	mscorsvw.exe	69
PID 1360 wrote to memory of 2832	1360	mscorsvw.exe	70
PID 1360 wrote to memory of 2832	1360	mscorsvw.exe	70
PID 1360 wrote to memory of 2832	1360	mscorsvw.exe	70
PID 1360 wrote to memory of 2832	1360	mscorsvw.exe	70
PID 1360 wrote to memory of 1860	1360	mscorsvw.exe	71
PID 1360 wrote to memory of 1860	1360	mscorsvw.exe	71
PID 1360 wrote to memory of 1860	1360	mscorsvw.exe	71
PID 1360 wrote to memory of 1860	1360	mscorsvw.exe	71
PID 1360 wrote to memory of 2116	1360	mscorsvw.exe	72
PID 1360 wrote to memory of 2116	1360	mscorsvw.exe	72
PID 1360 wrote to memory of 2116	1360	mscorsvw.exe	72
PID 1360 wrote to memory of 2116	1360	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe
"C:\Users\Admin\AppData\Local\Temp\4411b4d281fb5223827b8de5577669ca2812a8b876b174544a63d13042c535d8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1644

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:2116

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1e0 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1ec -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 240 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 268 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 1d0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 244 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 244 -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 240 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 298 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 28c -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 2a0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 2a8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 290 -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 290 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 290 -NGENProcess 244 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 238 -NGENProcess 1cc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2c8 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c8 -NGENProcess 238 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c8 -NGENProcess 2cc -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 238 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 238 -NGENProcess 2c0 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 238 -NGENProcess 2d8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d8 -NGENProcess 238 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f8 -NGENProcess 2dc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e8 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2dc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 308 -NGENProcess 314 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 1cc -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 310 -NGENProcess 31c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 310 -NGENProcess 318 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f8 -NGENProcess 324 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 320 -NGENProcess 32c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 324 -NGENProcess 330 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e4 -NGENProcess 334 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2e4 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 33c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 328 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 338 -NGENProcess 344 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 338 -NGENProcess 320 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 320 -NGENProcess 340 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 34c -NGENProcess 33c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 354 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 32c -NGENProcess 358 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 33c -NGENProcess 35c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 354 -NGENProcess 360 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 358 -NGENProcess 364 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1760

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2352

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2420

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1724

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:336

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1660

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
92KB

MD5
71a42cecf8158ef08aec0b9b06954d6c

SHA1
1f6e8a99585c35aa4211d09e5a9a1443ffeb3a3c

SHA256
f9821f7429600c4dec125498c233ac87452a0eb6bf88a76fcb53b39ec408d61f

SHA512
aaed2f3ea1d1eca44f5ca3543c36e3a0bdd518fe467b4ee3a3c53923fd661fe502b4dd62e48457147c5ba4cc8bbc1f96fe37a83ae8a5f39a941ee8f42625b005

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
92KB

MD5
bcb5f6a63260fc82ffe45f75cf5b4ee9

SHA1
c4190cfdd6c5e1ebd82214ec17203e88b40785fb

SHA256
19d78d9b26b0b9d9acf80bd60b151369659417aeb98510da6a71d6adf2a496f6

SHA512
5811e3c4b33099272454c786537f912431e70d9dbe193d2d235fd64905e4097ac8c737f1b410459f2a136d0c55d61be26f0dacb1f80b097adb80c4e5acca127b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
102KB

MD5
d692b1a01f26ef8da306c0f8068c563e

SHA1
0a91a6bbfc161bb76e4ce0a00c563dd4b7cb77b4

SHA256
a6f7d2b54eb560dea9899b043a72420db52fcdcd332a3c2ae85aa2c25d5064c0

SHA512
ba8c2d271d438a7042450c082398501fb7ebc5a3c1558e5affbdff927819d7b8c9ffa4866375f2dd08d569b495278d7e6dd9c221390406876c861f9dbbf7ca58

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
73KB

MD5
ff6db5c70aa3dd27ba2939c573a6be3a

SHA1
28804e9f1ad23a52b26163521caa9e03fd6de61f

SHA256
c43f5359ba0d1cdeed691201c6f637ade47be08836378844ef427c12728e2c77

SHA512
faa1d63a2fc5d3053823b8304c8848e17c3a2e9b8a09a112e4237e2eeadc504e8b251db635bd032ae7f62388c32f98ddc80adc786166d5fc0d07105b188cbf74

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
98KB

MD5
9ffd7e6e35bb2665a8db4fa2eba99eff

SHA1
62823cf53f41eb3e66f7b5f2eee236de034a850d

SHA256
c1c5cc7ddb38caa977f95bb275947a0dd2d7f3b7ec2d31ae9842ca6ae8a5a637

SHA512
08923861c9c0ec2230cab94bbe0baed02c0c32b9c96ac6a9683ff77911f5dd3384203070720566cc4c2eb0003ff28e7d72dfeb12f442957695120df64ebc98e2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
64KB

MD5
7c345a21a1a47b86fc7f387e533ef146

SHA1
093e16b0f484c2a72bac989317858bd93ddab470

SHA256
deb2cffb4dd619edad302eb6e7b4f8e9725c5281b4444ffe50730d2699e13801

SHA512
8aa29db32471f211242ff27f085d39a5f61dfd3fc885e2259d427030b68e7003f6719717641b3d97d8bd1a06290bb5e90b8b50c773818ee53d7e519684705ae8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
79KB

MD5
9ee2b956fa4724ac91eca8b1769f204a

SHA1
487aaee8d8fa10affec47da34ddf19fff470fed8

SHA256
b66d67fc5813f02b7f99f1aadfdbf4ec99ffe1b1a435ac324bd34c83ca697964

SHA512
f895b8c582c31d1c58cfb672462b49f83f5641f9b526c7d76b974e31720b9b86ffb2aa5831e7f9621213bc040c35a863fc5a7ad160e67d0183bdcf958fc516f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
64KB

MD5
d1d1785edf4f64147b648093feae9256

SHA1
690ea75fe0eba5974b8163ad31c4b3d2cec78ff6

SHA256
d667e487d866293096709b17d4d8fc556911846e794c51e1d1372d0abcfb40bd

SHA512
9a6b414972f4c63a1bffa16a040f0cd362420d7a0baada3b16bb41bc630784301f5495c903117b90b85558d42f9e142bd54eefb2944d9e30f5b002eea3026182

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
336KB

MD5
ab84a9019b93cf68827b8ef4e776c99c

SHA1
923a0a9e0ea07f79cca766dfc268067768f00f02

SHA256
90d23edbb754d5a500cd8aedceae9b974707bbbb27eed1c5ca2d3e4d45f09fd6

SHA512
e2a0382cb4e7721150155b030e146f265931180cd5b7f8aaba657377a6baf3c53e653b885da4eba4ddd42f24e5dafefd66c480e10312456a5504346e7959f219

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
75KB

MD5
5f28307e0ac7cab2f87fa49395bbcee0

SHA1
0e05c512268a1f9c28ce0763c4ce005d8e4b843b

SHA256
29571c8817dc5cccc52bbd2594c7e71868d9bcf2788f05c197b327f31316c8b7

SHA512
3935a69b8ec8636e0b80d224216adf3d0a90455b2f8ce6a0f07aead1bb5634b342c140ed1850c1e07ced3d7a8251a3efb5906c9d19aefa9632bae1c412a39d83

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
148KB

MD5
a94414bbc7ab226616c9d72bd2c33564

SHA1
9d731c3243bcc5e6c870c510ec5b669254bd989c

SHA256
b2864f9d63949cf2f046f4f235f4b4f3e4c827a9e4f7406917bae95c5796469a

SHA512
03bce65a4b031f70a9444c91d303ac492ea65539600da09e6691c1814db9ab6a80b97d0043c029932c26a8d8defaddaddde1e7ce97d2a6daec8ddff342c25c90

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
e12a7cc892fb86126c8e3a6954f1cca2

SHA1
c173f7a58a8328de232f558a1bb339ccffa280be

SHA256
df332e8869c5ed712d6c340652f0b5cf9a0186257a7c241ead8cd13a43b347d1

SHA512
a06ef2223501115f287cf2ced8112a03d24e7a6e80fe396425f3cbbee73e8ac56a85c3c8bdf9b890d999398fd3dd47ce978eb85f8b57ca316aa822dd57cab27a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
23KB

MD5
8c23120328cb5f5ad9e54e45a1242355

SHA1
4fcb94a15c5ba57d9343f48fb866da41dd4695dc

SHA256
8056bbafd922c97344d6058e67a6be904508883cbd6e5f41e7c2f815304509f3

SHA512
51e149d608098e55f74b7cc724315b30b585008a9fea1a246c77b9c2a26bfd3b0adf2e36951dd59c220e30a7d5992b7883acf7cac77145f195ef16bf936fb91c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
82KB

MD5
673f3fb7e9903b4d3a6ec22bcbc80693

SHA1
bed37e658917417a23f1551b2d0ad53a8d45ba48

SHA256
33d8931d377643e2fb0bbaa77a97ce3c4de0d1f859ed8332a2a907d524aa7dd7

SHA512
fc5ab3693422373795d38072cb5945c6ad4b2bbfab439ccd8dcd1106deba53714f747439293c44d50a41ea26d5612af9b790542875baae770915d3445ad2bb5f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
501KB

MD5
07d2f198c6444b998fbfbd9c2ef02184

SHA1
c0fdb1dc24359db199e6744c3e61b3d0aeb50acc

SHA256
64fe530c6d64c617c23dc207ebb2a09d640900375b9ac66b4e44a8e148b154d4

SHA512
ba03b3865a18137b241266dacc7bf4e37b41427b39626e5aad5e3ccfa37693d149afd1ac6659e0ff809f147d2581c3ed9064e149e91710917eae296be0c23a98

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
108KB

MD5
b95674972ebc8ffbff770bb8b32d5e04

SHA1
b624b91db3539f971a5134403f0b2eea9cc3e603

SHA256
b3d495b9cdfda58f86017a3abca5fefffa8d0caf8ffac3b6ef008d6d530cfaad

SHA512
496a921f505cc624c1a58d860839b8c572869a412f522b541e02321c5c5824d6c9c615cacaebfa2e04eeba9198c9960e131277563ff897a013e92124f187d0b0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
259KB

MD5
7102cca8000d2c1e14495c79e971ff4d

SHA1
34211cc3a28ec7446d58ad3e6fbdc9d9635240bf

SHA256
b0f88c30975637b1b99bf849da60b5d7aea22cd731b10d5177ab570a5b604401

SHA512
e437d970cc5d5cafe8c8791053ce504f0931f7ccb684492bfb1f581f882e7e0bddc1e54161af9f358bf389f2035bd88231e5a83536363be02e97a35b32c0bcc3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
32KB

MD5
dd3e48db9af5887e977646813a6816db

SHA1
37c59055f661b3b38455fbbd494b609961e30c4e

SHA256
bb13920b64d61a4d066186e4a58a868ad3f2fa60de15f52f790d0c0957bb0bae

SHA512
ffbd047d48b9ae418006b3359e550d302dffa86d8752cfee450416ffdb17baaaa55e60118fd9929b1a869bcfba76d95f25aba4047e50b360e3e863139e29128b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
126KB

MD5
76ee9907ccfa51784f7276ab8c87f387

SHA1
fc35e1c35701c3c87d5bfba4a4513bbebfde5cce

SHA256
c850c17ecbfc3758384ff4b75621f0ad6529561dc32d72b9d6277e69a4de9a30

SHA512
85ccce7e9565c68eb3c897956ca5f101089e43fd9bd4ee18d6293c2b6c7c951405e33e7f966d3a9b2f842c29baf56d7b2515c4241d4bae2ef8078f64627f2b57

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
29KB

MD5
546dae27218b3ce17c44dc8247c0dc6e

SHA1
8bb5b76129a68c0ae1375e55324849a9a0e71131

SHA256
ee8c6a91a934ba36ae9a637b4c71195e94d798d7a2c8c1e69f9b33dda9e396ac

SHA512
ffa931f0657bc2ae7e00c17ab051851c244556e811e28a2206a6f7865c940284989a53e53037fe6456e353fbbd8f64d8b075e911ad0105d395fccce4ff9cf4dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
9KB

MD5
d733428c5dfcd8290b2111da1c29f2c7

SHA1
9feb3b106f1ef7ebeaae3f6c58907889abedbdc0

SHA256
4b944761fd45cb880f2e19158fee117d37799b54a35adac192481a34c76e2106

SHA512
4cc24f114c7d5043e1aca1e3f4519f744084c5567225e10701ab9286f4d265e06bfcb26b0c56c9f532cd72acef1410890468a7e2c86bce1269504ce0d1b92720

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
23KB

MD5
c9b9b6ae67bb7ae5c07cae8532514c19

SHA1
f22fe9165be304e8a157559e3f44cfced7143b61

SHA256
a306feff3ff52d32cc6ed64244d863f3a267493cdcc1f2e8f9ba232ebea0cf66

SHA512
2942c842a870d9031da588917c267573cfbaa5372fe3ac99fc2d733285bcd6779771fc45db15cb4c2784631f407fc8a6a449dbc3bfa50244a8ec18a83b436ba5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
bbfa73dba6bd5a0211c84b417339a328

SHA1
9491946095d8a120ffe62de848ea2f0a2a08bd30

SHA256
0a843346e0994a642d3a6282ca2ce5d18f25d50a344346a80355b44e02d7b342

SHA512
2daed6c8fcf362b4038d3439c8951ec05a2d83ea75b6fe88ff4626fe144f24c004cd785beaa6941e9e64e6af33b8299c7d436d75b5c64c3956eaa8d0d966036b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
96KB

MD5
b442b3131c06ec9e932d443215226c27

SHA1
e0cbce20ade451fd5267e3b7325c664c736720d7

SHA256
f8a3379650c1a4e37dbabc8efb7ca01cf27b3b160b2efa053140654c36c6cac6

SHA512
fdb4543f31d52245460885362542a5e14b752cac45a8e562c590a9ae35acfc6726cb26338f2dec64b41d948f02ac996ca967b0ad0b36fde8dba3dcdf3200c335

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
55KB

MD5
2d7d825f3c7e4e70dddafa16c6cbef2a

SHA1
f3e7b37ca005e8839461ca9133d89a99d8a2ef84

SHA256
2d84899e4ff992f8580d78e581c963d0439a1ba788db2bc489df838a635cc5c2

SHA512
5e2822aa44ddb20fd976d1d2717587c88483b197c01c8004965556639cd9dfa632659c626408de9c45788b27a1139ff0245de248eecf626fa17ad73bfdb7f782

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
125KB

MD5
7a28b22d68c93c8398bcccd10e8dc908

SHA1
1d8ef7fee3807b23f7e7979cec4b63374c96dadc

SHA256
2de979d2742b16e57878057ff5d1f7cf124d1bf246679ed59ce283c71502143c

SHA512
8ea4668b1b7679d4f34d679bd6ebeaf72a8d36228f8de3b900ed2cf84b47e8f27008e53ae84a2e780b19b150ecb50612c57d516d308400d7671a6fb29ef9f4f1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
27KB

MD5
490ee29a0b1aaf6728fec5ff60ded367

SHA1
bac8f3811e953732b2c2439b0e2a87086752b111

SHA256
c1ae972d7ffbf359204f30e57c35deff93d2e443b5fd7245f053bb01446d2ee0

SHA512
6213d78b633f3d74e2dd917f06aae099fb9448a562509fa78ba2427c59cf0b0bd4bbc963365c3ecbd25fa03c1c14b9a58e351b8ab787ec7cad23f95dc25f8e22

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
91KB

MD5
bbe91baa685bd128f8c8897457552aeb

SHA1
4f44e11da3f92b1ddbed56c5090285e94ae53623

SHA256
748aaa48d5bb8eed6e72b3bf20cbdc365b32e23311df4c5892ccf57901b18ff5

SHA512
dafd2c785a70aaee23a6e012fb6b046570432257be0399adafd0aa1e6a4c1bc3c2219aaa5471577c2792fca3df80b44db25a992dc4f57c52a63ce8081ae455b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
27KB

MD5
664b209b6a0b0d2bf016c56c75c711c2

SHA1
3331311211f37b61ef27d3ebcf2319d2b12c0e41

SHA256
984fc3b5ef0a4a4a59b1e471131fa7d9ea3e00ab8e9c40a632ee319365ed7a15

SHA512
0d79090d00665bbf01fcec49c9a99151b12c6539ef71a83bc524d0992a05b6fecaf0c5460fd1efabdfceb3458beefd3417fad6b2850f0baea577f9d23b1eced2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
112KB

MD5
93525b4c3c3cc41dd72204a868d06409

SHA1
15980f94cc64705903b73f61ce37c5e500f2c60a

SHA256
b1ca1faf4b5cc22aaa018aa59f448f17ab67db3594a1cd56bc53bee174928078

SHA512
e50a3ee35d208c8257e7b54fceeabba977f18c4009e0fe5f8f413c6f699db2b7017030aacd4db92a1adf9c0b72ce552069e205b364d48d96f00a39210bbca269

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
36KB

MD5
bd1e6609250a653349a9bc405ea55289

SHA1
90a402f932790c3809474e2f69b22967723f070e

SHA256
ddf1c10eb9a47e9e0336ae2b44094fc5a4bca2a8671eb2d220e335b1e090154a

SHA512
5d9b76a421da1140314a4a9f67d53a485ff68aecd8747ca321c55d355e7f54212a7c7e81912f31ff13de0b883f8fa6a92381ffa5c97492bdb59b6a4f38026e72

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
274KB

MD5
ce8252087918f74c9a9aa0c2e8b2887e

SHA1
943b7e48924f04c8f3f99200e220d69a296c3308

SHA256
142e36a7e252e12cb1205759a4cde5bbcc1d1d31deb5575f29eef4644ef26888

SHA512
6cdce102958200fa644d8a6eee884f901f9762ebe914122cb5d2f393e9beed2661456197052e6882a6b1fe353358f74184ace004e7f2eb0996c8bbe37a05e748

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
103KB

MD5
58ffd381d541fe4b97b97aab93159e63

SHA1
0ec431ad7de6509164435bbacb0a5ee6f5c4f0ac

SHA256
0bd4f619c43edc99a89f86b04247428e6ab7fda37c974dfc1391a42be3f86804

SHA512
854929a08ec436c8220a6d8f28c26e32a9916f0154f79b62703bec5d09f2df717f86659d04602e151cecb7f95bd648988b4102f6730b10c95b69e14b09f1c5df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
168KB

MD5
1b07ce3f942b579ba0ffc85a9d579b2a

SHA1
54ce33d365c56b7f20d3e5babd07d932f16b717b

SHA256
691a85d018600ad134e723d6ec1759074b2e9e9a1010e9735b1b9a43c5dec9e2

SHA512
77c504c8bf06b83c11b4fa7c8634b954cb8c3e8416b9ae5d753e71b7e80246ecd99ba3b519e3601a3c144019624d45bd58f04dd4fcb88f0b2667bf324d86fb65

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
503KB

MD5
2dfd7d8d83adfd1cf0672baf59ee3de5

SHA1
3b357629dc667445fe05787f0a49728363a17935

SHA256
e0ded5d9edc83482c2c3b0a751b621e064fddb8d511cd6f0dfeebbaf2af52508

SHA512
584c6f07c6f09cce0056486edad40ad14764f031873942951bcf5643cfa40a303b632de21bc1006dffc7eb602575423b921d147fa93a9806a657d4c37d90d03c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0a1382603272fbdc1740e33fad1fc2d6

SHA1
1e1f639f001869ffc519af3b75eb358114f76956

SHA256
0eef978536a984741ab7db78ac7b7795de0b87745c6d2f21c65ac11891dd44d2

SHA512
9633d97b2337635954ff3fcbadf32ff35e389164d5bf0c0ee2e77a5ca34934e4867bb567f0c223285f0014103ec2c797e4aa74641c2a14711be7e96878ab64a6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
84KB

MD5
d6ea15d07b89a37bc9c6b98c4a5e42cf

SHA1
a1787214dd8ae2c937d081460e300590c2e61427

SHA256
cda287ba738479a75bf79798e518003370f9ca5996fd51a59c8c55850dc206ae

SHA512
f8638c294497d47e5c545fcc1419ab98333ca96f38fb51c6d9f371a29e8db7104f622994ceba7324b412dd8d05de6768b90bbb7fb36d8faed152632e933b8de3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
44KB

MD5
75d65dde31ad0bb7bb2343972c28c64d

SHA1
27c61aab1b6ecbd31e1127e92d65fba0d804d801

SHA256
c68d1e3ba28f512cec1d9c956b3d65923342e8cc959ac62c2cd41f1c9bffc07a

SHA512
98c4acc25c0931ea636adf23d3025bba3ba1f80eabc5be02f526042c47d70d4c8cad14f53c34557793b5c84f75d5f660886612952c678e664409de4aa7babd23

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
41KB

MD5
8f1764e005c83d0f243d171616e2d8b9

SHA1
9c6dbd3e7f82b3bf718c9970624ce5a43741a03c

SHA256
9c9f40bc566e0974a35b464c3401a5350d5b1160bd6098a876ae105574ca3207

SHA512
5cb246c73442988f020d1e72436a04911bca9cc6721441810d899947b0811c8863dfc43b87d09b7c1371831fd7c45fe05df68959f104fa120c14f86c78321174

Download Submit
C:\Windows\System32\alg.exe

Filesize
268KB

MD5
519b7ccf12076aa90b19b2a097a07e8a

SHA1
125342f8de15e4133c43b0d3ba49091ddfd9aedd

SHA256
9aa856d64d36f5c61625251bd4f8b0f759dcc824409cd24cf324ccd0e0f6fac9

SHA512
c4b76ffdf1262a8a7d8c4c846d60341d74a7122cd131f2427ddae70f44a1b49b78e835623c26d78cd8a374f053b0be02b7f9076c568c534bbd98225dcc5f603d

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
45KB

MD5
7b6f8ef5a590cd6cdff56f84e4616a19

SHA1
df78009f7d68742f9f7d218eb7ec6ba3b45f5401

SHA256
155390a065f15683c5f48e82e74259cca56512ac2f907adf496e03cd0449f182

SHA512
c81b7d9f5d37f344189041a2ea74f2642705afdad133ebf776c5dea2abbcd8ba8813170bf5cddb211d0a8e9d9b93b591218bec6f22ca55612eaee18b67b3b8be

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
28KB

MD5
9ee239119c3a750404c241ee3c533110

SHA1
cd6e6016ff2c6a692eccfe97f6582a5cf2b72660

SHA256
22c74694c8f2d4216c1e5a306fcc38ba866fd44a54f666bc85d613c6cb0221a9

SHA512
de945292090052410575b995fafba3f387077775de246b25408b195d34aed57e4f0f5ae6fcaa3fca013122855dbfe20816419322eeb73e7d03af55877ddf458b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
29KB

MD5
7b065f6a0dddf4f17451ed84d4da112b

SHA1
20acc20f25a1e5144325b8f6ec4df1483493647a

SHA256
b42c787c0be00fd1c7e871e6b64abe5c159dc2c5226ca7efa4b89c5bf4b489d4

SHA512
591940001d1f53ad2b0d94ff5e7054dbb1a7dd77819055b5d69d778cd6f7d8d8994cd7d8bfda300e77237af93e00e735f7e5654b5595fd46938392750e776ddc

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
154KB

MD5
648e991881cb6aa01a6ed6549269c029

SHA1
2abb0194dce5bcbd2085ce4ca0ab95d3b5740935

SHA256
9f07c93007baff1180852486afcc876615c997bd638f6908c4738c492c8a3258

SHA512
d949679cb2445b412503ccc87aa9ac6722c33e9e4b32e3fbe7238c40108eccfb4394e0ab8384aa6a29b9a9859df8e3f56c34a76e6a28835d998263820e61abc2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
12KB

MD5
59c1e98b9ba9b67291d7765db2d217d3

SHA1
ebc8457ee1118a14476d4124815d37197a983c23

SHA256
8ab58f20ffc982c70234e4c73eaeae30dfeef263262930d19e138bff1a076526

SHA512
523c5323fcebf77adbc400ded01afd58cbc59dd9e5c352c568a38db9151882468759d96cd763871b8afa58ed951b7a98a6506434947a002083031c962d78912a

Download Submit
C:\Windows\System32\vds.exe

Filesize
62KB

MD5
b9363f44d568ecdf3ead431fd3024ad8

SHA1
ddb01af28b02932b8901ad1d0de2c5d64744efb6

SHA256
127ffc09d4f0f293f82b15167c433b1c81b0faa1a23fb67c8cab3292c426cf55

SHA512
6d8be53884663b5159eb3179ca638dc467e12c6fad21afe1c601d42e1a001a442d9aab0c908d997560d8eb59127541bf8a7f2930f74a0fde961eb56eaabe85eb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
78KB

MD5
7d50b01346895549acf61d3979ba8106

SHA1
b43b98e6c4d601accc4d1d0312833c71fbe44f76

SHA256
b5e2138278f025119bdf9f476e5e72dddb9f977915286ce55cef4e0830cce226

SHA512
cd60a35d0dacc37239f3a1b5b117c4e736c1e042d379e72149d23faa85e78ac90cf4dd7f647a0ea3f43a380e37cf4ef35986c205f1492182eba4fe303a335e36

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
21KB

MD5
29c2de40dac4cd2cdfa4324498d48363

SHA1
856a82fe6633196633d4a258153087513fce246e

SHA256
7f01d55e8f95dca8984b08890de2c6abfcd7b2f4b3ed0141042703096cf0d9b8

SHA512
85d371df3f2fb0ff43012b5275abfe5c425998a6f9d74f130e69ed0941e7ddf29ba06df0713872ac6c038f1786e042a00a83ac3c7a5a29f7a234513380521da4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\595e7de6116166eff3145b064917f861\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
7KB

MD5
4d37829b532b7db39a394715ff6e6ddc

SHA1
5324ee50ccd1946026f4b5b8317563c007c41f5c

SHA256
32c36f88cbf53861df68048b9f34da6068617a22a439835363f85d7d75dcbed4

SHA512
f89b88eabfb4cfdc63f4d344ca79ac84395f3f4d0ef5fa0876bfe787f9fcd180daeb26100391dcdf6d156a49a3783709c36ac3d00d858f996f42524c023f1674

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\67136536b4c5ac02e933dce624e89777\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
3dc2ff606689b257c30b78a3c67eae54

SHA1
d020e335789c3ed144bb31309b72d4c6ec1e443c

SHA256
a5487a631ae129147f191d7d26a31a531ea6e34f8e6c92f27394b27213bf04da

SHA512
1f9a83a8f138142a409075bab7a8210bb729b4a50564a221349acb552d951bb572278fd5af68368b1299a7ca499f99b4c8239d641f468a020b258ea417de6691

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\82a5ce87f4cdafd4e92b794f6d1beb96\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
09651cb2e90d0edd287f996ff359a2b7

SHA1
d456c2d5f6e59137511005895a5b0af864ffed59

SHA256
88ae6bdc457ed1716dace1542bb6fbae21e39d5740d967cd3ad957dc8c5a0dec

SHA512
912dc0448452e74260ac381fd9de3111078ac4f07538cf7bd21706d489db082fe1ecb779873da7ddd9a3c5201e0ed8662f8467d02afcbe86732d0855ace78ab4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
66KB

MD5
42762b0a9df1157fbe99a97bb6a5e4e8

SHA1
922e1ed9e0ce4f6e98a6549ca4a743c3f9d0c106

SHA256
5222560b85ae0bdb8fbd72d6f88dede19332f10bfc534fb80cbafb87db289bd5

SHA512
4bb0783efd16e5867ae72a11fc1b8e6b40375d0b9b39d963a8d5474bb61258e23e513cdd6e2aadddb3a6801f8a28ba87d8e77dad978f1aa582730c4576916989

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
8KB

MD5
a46827a2e76e0daa465adf5046f31659

SHA1
ce5a902871ad7f55efd0ad3e737abe321f8a9649

SHA256
912434ff36dff2706b51193e249b9a3a0242bcec4606effe7706eeb32947faab

SHA512
bac1c83a278ab264f134b6b3e06800b9abbc6edf795d8e44121cb94d5a443950d22efafbc4f7bff3180b850cc2cb8c69da1cad1a2be9975af8372cdf6e9e70d5

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
114KB

MD5
4e736724158acd884161fcdae8aaf34d

SHA1
862417e0671a33caa0e9f86216defd7ebcc43402

SHA256
5cdad7c1fe58878327e73c81b0f950fa9adf3fbb12c5aa0b868b3809cdbd758f

SHA512
c655c8741d5801c760b9a4c6ec3642e974f952897fef4c1ff92cba1a041a7f8230057b4e9b0fda977df13353a7597f5702dbb36970a738387e112fc9e837778a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
255KB

MD5
cd6dda76c0ffc71729d18e3b402be7c8

SHA1
4928e9b271d4394a6d6fc6583cc0db13d9a67b90

SHA256
338796e645d521569ea1083323f146a28d40ae487bca949ae07c1294ae3dd70d

SHA512
6e8ccc8a62443c4bde979033e97c0e9b69ffecd53e23488a9a01aed69dfcfb17511e8c27c844416ce1fa8236ff05432030e0033e26c77e5fab25f49dcc60d87c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
11KB

MD5
33ed8643df29bb3ec19bf5639e8626f3

SHA1
f0cff2aa2ef72e7aff55963c947a29e135e0d49d

SHA256
9784be01e2e86c84ce0afafcc8f5fc233182f73631422598555f56ad9f8ab129

SHA512
c412cf53e2c531abd6c01b42ab0a703946c8225e44fd6955e33ef458a3396b194645397a78df813043f9cc82dea218cc4d6b9de9b9eb9b00a4b136d4e7e3b1f7

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
84KB

MD5
107c7a1148d55b96ae63a697b7c8e10d

SHA1
a227c889a7d265399b9cda0d3190de92f1e9ecdc

SHA256
29791935ec6cfcf29db6cc591a85294a4f4a696580c0f5cd19325f658f35fad4

SHA512
68489367dfce23c30e250249b395d380d3aa5233cccbf146a4a02c02324d79ccb873aaeaff95be4b3bf75ba161c2a149cb058b0e1eeb35dd7e3aecd2d91dc71d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
638KB

MD5
ee2c36ecc142b9922c8932adb6f1c0fc

SHA1
9e732174b5b2b9278bf86aa086489be0eba02424

SHA256
b974644a1af29701477f4f6ce698add907ba36dcc53f2fb6a47dd3cb02dfcb68

SHA512
c9ff730a81fadda68fd1cdb119878240b9dc67d2df0c1e87487de53d1de58f1266875a3991646eb1743a471c6a6a08ffa216046c930f0b5c8df45c75d78d0468

Download Submit
\Windows\System32\Locator.exe

Filesize
33KB

MD5
a667f5a6a80f21e6bbc866b6683c1112

SHA1
e538fa228bd1d77097f26d0fd104b35f134d6694

SHA256
af63d7bd788172838b748fa7b0697310467d898aa0ac1217fd6f01d367e41845

SHA512
2020ff445680e12e3387f6cf0af7d2e8d3031da6e7a74f32efdfd415b301d34550fb55caa9cb504aef211d40682fdd52457071fa31ce617063f024eb3dcb4339

Download Submit
\Windows\System32\alg.exe

Filesize
161KB

MD5
1d542b7dc45132e4e2dde70ed37e108d

SHA1
be542d9e49c56cc6c21f81b93d2e4266e9fb184f

SHA256
30030cb40006d1be527c89026f6d2f231583946ad0d95f8ec3cd3e32b98b34df

SHA512
88ecb7d0ed48c624dcd3b979aa1255201fa3b3aff20a10796e524b2ae28882019adfeeb33a3c0ef019a272cc63a5b04528b86e5f7e854ab7733031e4b712514f

Download Submit
\Windows\System32\dllhost.exe

Filesize
6KB

MD5
0fdb6a7621a9833bb228f451ea7aa6ce

SHA1
cc575d7721e6ed21313b21db80e902a29824d96b

SHA256
2d8a9ca236b34825b1044ad68de1de2ead76d4a9dc28316e192b7f9e609bddce

SHA512
e344bfacb2d3191781030854903bac018765868d30b3c84eaee71bbfd4936d488e72c7ffb9d882c1a842e2debed4005e29a6c15af9dcf25fc8f82cff09bae3f6

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
126KB

MD5
7b9c842769c4a8eba437b9112ab501dc

SHA1
469b13bf8f45464abd30fd109534191b9e6779f5

SHA256
7db12a492f3c637f26d2ee5c33b5020ac2b52dc74c48c98c7351cb5d8d220539

SHA512
26577f07dd841db8ace3632e4a7136d7f710377b054a9b90319261c04b26e804731c53807b65f88fbe3936ebbb83b9b505fba5189def3bfc4b2a53507f8e591e

Download Submit
\Windows\System32\msdtc.exe

Filesize
92KB

MD5
d638c2672112d78675d6fb8f131d9452

SHA1
2670463f8efde5dd031b12c7ba62264f13b77d12

SHA256
4269ba12d54cc9028dcaea11599a829bd65e651a7ec100810c3c08528aca2e9c

SHA512
bed9dd9acd2442bcb64b5c129d967f645e5faddd5b341326013aff1e3ad1d4dc18f542e15dcc7ce77c7072a6574e931c4f8242aabfc1226dcba217c06fb5aba6

Download Submit
\Windows\System32\msiexec.exe

Filesize
170KB

MD5
d29e462e872ebf4eb3987b29fe4154cf

SHA1
2cccf83ae21b62942507c3ef8c82ec5b4d1a3262

SHA256
a0e9cdea8b84fbc1bffc0523bf2bf204805f38b7593d6d9e110183336bc39186

SHA512
f86feb42cf1aa941494cdcb7add0ab165c9742a733f91f6531135b04a87e24bf2795bcb21bc5b9bf9aca3dc56c4742da4267f65d583cce2f4343b1540c8109b0

Download Submit
\Windows\System32\msiexec.exe

Filesize
110KB

MD5
7b0a8d20f20ab4cc9a6666c252ec3d64

SHA1
6e087b3d066ffaa72cfe97fab238ff89ac6b3bf7

SHA256
b093832fcff49e8df1f890335e6b74b315365cd8d3ede7bcb305f119434339d0

SHA512
8d125eefaad2cb363a39107c7670fb534b4f99721c0f36a8c8a485df9c9931240550e7390290c73ab937288f4204720ecc83f60558b33b09f11dc06d0fb8d917

Download Submit
\Windows\System32\snmptrap.exe

Filesize
148KB

MD5
f418b73fe4a23d03bbffe1a8a85e9eac

SHA1
5257f6c0807286abb8f5ddaa44d85214149a96f5

SHA256
2878b5d20bdf35fe05c2d88f36060dcc2b51abd112e7294a40024a08b2282571

SHA512
e600018421293f7d0efa0bf396f8d5a43d3abdd80cda24cfcc63bf2c84ec4904de458871d852a6538cafcc46facaaf0dfd5bd382c839a4b6f405cba9aa150bf2

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
30KB

MD5
a7ad0e0f48007c48061c6ba11462261a

SHA1
e2a57ef240ec0923e94f3827e02ea17bd6e8776e

SHA256
9cb55097fb0a9fc177b108bbffae12256210eebe86db405d88820477cbea72fe

SHA512
e1a6e3c18633af24fb2ceb484874d4ac070dcd284fafd019a5d1b9a24dbd5c540f507fce0071b3802d0e30cbd38d75e42842eda1a14771b30873301ac0c1aa46

Download Submit
\Windows\System32\wbengine.exe

Filesize
27KB

MD5
0964a31c08a5795a4aa7eca5649637be

SHA1
3868c095186fa0b386b9c7456b0cf31cd1542c3d

SHA256
2999baa1017e74e14dbf09eb33e3c7a0e6a9c1c025ee0ba2ac1ddcc35e8fd834

SHA512
7f703bffd7498afa661073d2fcc9c4062f8257d84228d110199182d91828b7c579c47510cca4835420e44256aec690b419b1d2cf7055a7628cbeb68916414b22

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
395KB

MD5
58a7619d2dbe76b53f29094c96ada025

SHA1
83f723a2fd59b84770cdcd872e366324b6f3b19f

SHA256
efb4f6718d386fbe91e93e6fc0fa0debbdb1de18a4bcc6a2fefea8166649d655

SHA512
83872d1f58f4ba9a3de1c7338b2dda86cac6992b694d7804639a0f22ab2d9540a9398fe17c69292d719f587cfb2fd10e50a3af87e8bf64b5381b43a2d3b9eaf3

Download Submit
\Windows\ehome\ehsched.exe

Filesize
87KB

MD5
058b9a7d4963d839530631c7b87a8b4f

SHA1
407c7e5b2bb04e37327649506b54676ce08795b8

SHA256
54df1cb8eaca24b7faab66a084f7c73f5d53809cfc3f1054ad1e1215888a9786

SHA512
2cb4520e3dcc25c319b2b11e2b155b367a0149ca797f3cc88cb9c245bcadd96bc91c7f466a1ccf9917d2b97735e912a114434e703b5e171ab4522308312d547d

Download Submit
memory/280-349-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/280-357-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/336-323-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/336-331-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1080-342-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1080-335-0x0000000100000000-0x00000001001F5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-199-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-270-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/1144-202-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/1144-260-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-217-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/1144-288-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/1144-204-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1360-124-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1360-131-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1360-125-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1360-190-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1376-145-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1644-122-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1644-96-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1644-102-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/1644-97-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/1660-362-0x00000000741B8000-0x00000000741CD000-memory.dmp

Filesize
84KB

Download
memory/1660-347-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1660-296-0x00000000741B8000-0x00000000741CD000-memory.dmp

Filesize
84KB

Download
memory/1660-290-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1660-291-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1660-280-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1724-214-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1724-274-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1724-212-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1984-220-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1984-251-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/1984-250-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1984-231-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2068-178-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2068-255-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2068-185-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2068-181-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2080-170-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2080-243-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2080-216-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2080-155-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2080-149-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2080-148-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2080-175-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2080-169-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2108-93-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2108-173-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2116-229-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2116-163-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2116-162-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2116-171-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2192-307-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2192-249-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2192-234-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2352-112-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2420-206-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2420-197-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2420-191-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2624-258-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2624-321-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2624-329-0x0000000000530000-0x00000000006C3000-memory.dmp

Filesize
1.6MB

Download
memory/2624-276-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2624-262-0x0000000000530000-0x00000000006C3000-memory.dmp

Filesize
1.6MB

Download
memory/2672-370-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2672-365-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2696-302-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2696-360-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2696-294-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2844-277-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2928-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2928-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2928-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2928-140-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2944-309-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2944-315-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3064-22-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/3064-40-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3064-12-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3064-158-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download