94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 10:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
Size

1.8MB
MD5

bbfc1cfeea6b8ea2fde04df8eb4e5a56
SHA1

5728022169c869824064d6661990f975401c7529
SHA256

94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237
SHA512

35d2cfed07026a7f35bf6c8a27fdf3deb0ac652cee729776342121fbf65c70d5f1b8593381a7cfc8cd63a913547a81eed2a0fb5f7e1cff9fa75fd3ccd9b49eb6
SSDEEP

49152:XKJ0WR7AFPyyiSruXKpk3WFDL9zxnSlaB0zj0yjoB2:XKlBAFPydSS6W6X9lnbB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2808	alg.exe
3020	aspnet_state.exe
1868	mscorsvw.exe
2500	mscorsvw.exe
1152	mscorsvw.exe
1108	mscorsvw.exe
2024	ehRecvr.exe
2328	mscorsvw.exe
2204	elevation_service.exe
2748	GROOVE.EXE
2840	mscorsvw.exe
2632	maintenanceservice.exe
2588	OSE.EXE
3064	OSPPSVC.EXE
2152	mscorsvw.exe
2516	mscorsvw.exe
2136	mscorsvw.exe
3036	mscorsvw.exe
2972	mscorsvw.exe
1652	mscorsvw.exe
2540	mscorsvw.exe
2508	mscorsvw.exe
984	mscorsvw.exe
2328	mscorsvw.exe
2448	mscorsvw.exe
1324	mscorsvw.exe
2988	mscorsvw.exe
2324	mscorsvw.exe
1808	mscorsvw.exe
1668	mscorsvw.exe
1080	mscorsvw.exe
2764	mscorsvw.exe
276	mscorsvw.exe
2164	mscorsvw.exe
1988	mscorsvw.exe
1572	mscorsvw.exe
2308	mscorsvw.exe
752	mscorsvw.exe
2528	dllhost.exe
2840	mscorsvw.exe
2944	mscorsvw.exe
292	mscorsvw.exe
2124	mscorsvw.exe
2136	mscorsvw.exe
2356	mscorsvw.exe
2148	mscorsvw.exe
2504	mscorsvw.exe
1720	mscorsvw.exe
2864	mscorsvw.exe
2640	mscorsvw.exe
1936	mscorsvw.exe
1376	mscorsvw.exe
2216	mscorsvw.exe
1680	mscorsvw.exe
2168	mscorsvw.exe
908	mscorsvw.exe
2940	mscorsvw.exe
2152	mscorsvw.exe
1044	mscorsvw.exe
1056	mscorsvw.exe
2248	mscorsvw.exe
1748	mscorsvw.exe
2216	mscorsvw.exe

Loads dropped DLL 37 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2136	mscorsvw.exe
2136	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
1720	mscorsvw.exe
1720	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
1376	mscorsvw.exe
1376	mscorsvw.exe
1680	mscorsvw.exe
1680	mscorsvw.exe
908	mscorsvw.exe
908	mscorsvw.exe
2152	mscorsvw.exe
2152	mscorsvw.exe
1056	mscorsvw.exe
1056	mscorsvw.exe
1748	mscorsvw.exe
1748	mscorsvw.exe
1760	mscorsvw.exe
1760	mscorsvw.exe
272	mscorsvw.exe
272	mscorsvw.exe
1916	mscorsvw.exe
1916	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
1692	mscorsvw.exe
1692	mscorsvw.exe
1572	mscorsvw.exe
1572	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9198ca191b98a6ad.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C16.tmp\goopdateres_en-GB.dll	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C16.tmp\goopdateres_te.dll	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C16.tmp\GoogleUpdateSetup.exe	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C16.tmp\goopdateres_ar.dll	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C16.tmp\goopdateres_kn.dll	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C16.tmp\GoogleUpdate.exe	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C16.tmp\goopdateres_sv.dll	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C16.tmp\goopdateres_bg.dll	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3E58.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{17203FC5-C9A6-4266-986A-E2D4E0D8B521}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7262.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP342A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP51C8.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4C9A.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4441.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1676	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2580	94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: 33	2264	EhTray.exe
Token: SeIncBasePriorityPrivilege	2264	EhTray.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeDebugPrivilege	1676	ehRec.exe
Token: 33	2264	EhTray.exe
Token: SeIncBasePriorityPrivilege	2264	EhTray.exe
Token: SeDebugPrivilege	2808	alg.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeDebugPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe
Token: SeShutdownPrivilege	1108	mscorsvw.exe
Token: SeShutdownPrivilege	1152	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2264	EhTray.exe
2264	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2264	EhTray.exe
2264	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2840	1108	mscorsvw.exe	39
PID 1108 wrote to memory of 2840	1108	mscorsvw.exe	39
PID 1108 wrote to memory of 2840	1108	mscorsvw.exe	39
PID 1108 wrote to memory of 2152	1108	mscorsvw.exe	44
PID 1108 wrote to memory of 2152	1108	mscorsvw.exe	44
PID 1108 wrote to memory of 2152	1108	mscorsvw.exe	44
PID 1152 wrote to memory of 2516	1152	mscorsvw.exe	47
PID 1152 wrote to memory of 2516	1152	mscorsvw.exe	47
PID 1152 wrote to memory of 2516	1152	mscorsvw.exe	47
PID 1152 wrote to memory of 2516	1152	mscorsvw.exe	47
PID 1152 wrote to memory of 2136	1152	mscorsvw.exe	48
PID 1152 wrote to memory of 2136	1152	mscorsvw.exe	48
PID 1152 wrote to memory of 2136	1152	mscorsvw.exe	48
PID 1152 wrote to memory of 2136	1152	mscorsvw.exe	48
PID 1152 wrote to memory of 3036	1152	mscorsvw.exe	49
PID 1152 wrote to memory of 3036	1152	mscorsvw.exe	49
PID 1152 wrote to memory of 3036	1152	mscorsvw.exe	49
PID 1152 wrote to memory of 3036	1152	mscorsvw.exe	49
PID 1152 wrote to memory of 2972	1152	mscorsvw.exe	50
PID 1152 wrote to memory of 2972	1152	mscorsvw.exe	50
PID 1152 wrote to memory of 2972	1152	mscorsvw.exe	50
PID 1152 wrote to memory of 2972	1152	mscorsvw.exe	50
PID 1152 wrote to memory of 1652	1152	mscorsvw.exe	51
PID 1152 wrote to memory of 1652	1152	mscorsvw.exe	51
PID 1152 wrote to memory of 1652	1152	mscorsvw.exe	51
PID 1152 wrote to memory of 1652	1152	mscorsvw.exe	51
PID 1152 wrote to memory of 2540	1152	mscorsvw.exe	52
PID 1152 wrote to memory of 2540	1152	mscorsvw.exe	52
PID 1152 wrote to memory of 2540	1152	mscorsvw.exe	52
PID 1152 wrote to memory of 2540	1152	mscorsvw.exe	52
PID 1152 wrote to memory of 2508	1152	mscorsvw.exe	53
PID 1152 wrote to memory of 2508	1152	mscorsvw.exe	53
PID 1152 wrote to memory of 2508	1152	mscorsvw.exe	53
PID 1152 wrote to memory of 2508	1152	mscorsvw.exe	53
PID 1152 wrote to memory of 984	1152	mscorsvw.exe	54
PID 1152 wrote to memory of 984	1152	mscorsvw.exe	54
PID 1152 wrote to memory of 984	1152	mscorsvw.exe	54
PID 1152 wrote to memory of 984	1152	mscorsvw.exe	54
PID 1152 wrote to memory of 2328	1152	mscorsvw.exe	55
PID 1152 wrote to memory of 2328	1152	mscorsvw.exe	55
PID 1152 wrote to memory of 2328	1152	mscorsvw.exe	55
PID 1152 wrote to memory of 2328	1152	mscorsvw.exe	55
PID 1152 wrote to memory of 2448	1152	mscorsvw.exe	56
PID 1152 wrote to memory of 2448	1152	mscorsvw.exe	56
PID 1152 wrote to memory of 2448	1152	mscorsvw.exe	56
PID 1152 wrote to memory of 2448	1152	mscorsvw.exe	56
PID 1152 wrote to memory of 1324	1152	mscorsvw.exe	57
PID 1152 wrote to memory of 1324	1152	mscorsvw.exe	57
PID 1152 wrote to memory of 1324	1152	mscorsvw.exe	57
PID 1152 wrote to memory of 1324	1152	mscorsvw.exe	57
PID 1152 wrote to memory of 2988	1152	mscorsvw.exe	58
PID 1152 wrote to memory of 2988	1152	mscorsvw.exe	58
PID 1152 wrote to memory of 2988	1152	mscorsvw.exe	58
PID 1152 wrote to memory of 2988	1152	mscorsvw.exe	58
PID 1152 wrote to memory of 2324	1152	mscorsvw.exe	59
PID 1152 wrote to memory of 2324	1152	mscorsvw.exe	59
PID 1152 wrote to memory of 2324	1152	mscorsvw.exe	59
PID 1152 wrote to memory of 2324	1152	mscorsvw.exe	59
PID 1152 wrote to memory of 1808	1152	mscorsvw.exe	60
PID 1152 wrote to memory of 1808	1152	mscorsvw.exe	60
PID 1152 wrote to memory of 1808	1152	mscorsvw.exe	60
PID 1152 wrote to memory of 1808	1152	mscorsvw.exe	60
PID 1152 wrote to memory of 1668	1152	mscorsvw.exe	61
PID 1152 wrote to memory of 1668	1152	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe
"C:\Users\Admin\AppData\Local\Temp\94a9c57e4b6f9da61f8c41dd9f62f8f18f6a6d160dd0702443672d484b5a1237.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1cc -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1cc -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 1cc -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 240 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 244 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1cc -NGENProcess 27c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 254 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 284 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d4 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 254 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 254 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 28c -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1ec -NGENProcess 20c -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 258 -NGENProcess 234 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 23c -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 24c -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 268 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 248 -NGENProcess 274 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 24c -NGENProcess 278 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 234 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 284 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 264 -NGENProcess 290 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 274 -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 270 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 298 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 248 -NGENProcess 2a8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a8 -NGENProcess 274 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 290 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 27c -NGENProcess 29c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 2bc -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c4 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 2b4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 29c -NGENProcess 2c8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 290 -NGENProcess 2cc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2b4 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2c0 -NGENProcess 2d4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2d0 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b8 -NGENProcess 2dc -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e0 -NGENProcess 2e8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2cc -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 350 -NGENProcess 304 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 300 -NGENProcess 354 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 358 -NGENProcess 304 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 35c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1748

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2500

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2024

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:2328

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2204

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2748

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2632

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2588

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3064

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.2MB

MD5
0d1b812c926f23635d8eaaa6263111f4

SHA1
627d33c26cbf0b93a33a54543d7f3b8e1beff1ea

SHA256
d10ec027dc489dc094b6c6d85ab139e15bcf1d3d6eea1036df2b7a17a8b6eac8

SHA512
cd87751355eb123a47ae4b0b08506aa697322f687d393204609cff06fdd31dd5a9c13fc65b53a113c3cb4aeb64fa33e07c00e1f7acf3586d00d92fa5d2457244

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
2365f2be73e506f183e266800164ddc7

SHA1
bc290284a47e9cbcd6d00b7268c104a2ef8f2c21

SHA256
9396a1f60884eac6c089ee6c0d47ed72dd59407eee344ead85e36099f4ad27df

SHA512
0bf4936584be9945406f718be22a5ecd7a37e8f28a88c91b3dfc55621b6bcfbb422a7ca7fb880a45b9457a5a3d1019360abedbc33b667f77e83f9dc0ca0dc536

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
2c1763019cd1991f5c54d1fd4eb6515a

SHA1
fbbf43be788ac93cb973b5c60059077b07cce418

SHA256
955e80ee598ddf970c4165194e19140497cfbeff8f45ebeae0b21c18922e393c

SHA512
78062809001e1289609f110b8f5e0a584b205c401af703c09e5d98b3dbb337b3ed533f0a909139032eef68e973f28880f5e619ea0ea571607a81fc63f3db648c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
eb67d9c752bdf2df2e2c8e53e1a01ba7

SHA1
060b7636e87c8bb06c1578117074ee424a81043e

SHA256
930db28310dea606efe1edb23242ba29b6efffe4e8fb155e0c4a961479d1b93f

SHA512
137bc6ce977d9b8da00698325af9e28c8310c84df77cc005af242bc966581e80c841ef3d37514e1524c83906d66003592ea1cfc1214e1f98a2b1e758ac35e6d7

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
106KB

MD5
294e14a49f2045f91a9e59574ac14ea3

SHA1
e3e20fb2223ac1c44d88e97c437dda66e1e7db3d

SHA256
dd0c9f35fd66dc056a5bb0c8e15e5dab32dcfd4c615eafd8ce571410dbe01dbd

SHA512
1e4d47374e5ebe69915a094cb97a8a81e759cbc8b190a420d961d3a649c1c8104727160a107f4d5602df9235a379c06ddfc6b3c81fd614a66b839fd3bdeea706

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
209KB

MD5
a926d548f9f18abe193d34fb9c5486da

SHA1
340b9ccb188e8d9b6910be591700c123dbc48d12

SHA256
a0fc4bb186d6883c7022914efb3f6c86433adbb55fbd83b29cfc6f6b7278d1f2

SHA512
021377e58b02108de0469b7e9e5b05223b3cbc634054bc9d79568440455898f83bf1a8f09a08441a43ac4d7e0b953c9be764f1c04a5847d3b2aa228f24a3be32

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
270KB

MD5
d673eb3da0b97309234e0228d760bbf7

SHA1
775bb57476c94b9363c8cf60f0a0f78b6f9895eb

SHA256
17a7a744d8d8e030da4c9058bbd6f2e7ff7c3d1471e3649222389b26fab297c4

SHA512
a64bfa62a704bd4261d0cd2eaa5a56ef1975703cfb61da3c0b8b88860f02f34367354146ff270cab0130ead2e81c67647d9b92890333114752924425c0ffe5c1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
68cc9ac390899e3a7b619189242ddee2

SHA1
336f8147a9020998ab4c7d898203c77b3450ec17

SHA256
44fbee4dd3434a8177871770360be34855f375d9ce37fa3b84650cfeebafc5b9

SHA512
42ed8f44a954d3b384ead4e078245ececc9f617edf0ed0d4d86b19b2567c8ebac772881533749d7d314dd79934cb6d76fe426027ca416cf56f799266f8276bbe

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
f795ccc5f84cd3ef0ffb1c50a0c3375c

SHA1
77cffe5330b5f9f7c2b872c9ece361f33b0a4c99

SHA256
4c4da6de034d91d41367810ea18a67ee51936f9128ef22f597a5e925ce153749

SHA512
1270749760a11d1407d11f31cc1dae4b394fa7238578c99c213df2a1b70443d76401adc6049888f61f05b70ecffe49e2e6df78921f55b96eb1d69d6f29887834

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0cc6e08f8137e43269ee16511f2ee8e3

SHA1
27ebccc64fe7e1b95fb555546fd384aab5323fa3

SHA256
2cbd6aecc38ca1521e3e0fb63df6a494a898afc9e81580611a81eb2ef96a6eeb

SHA512
1c0d9a6fca2570b8d111e2ebe9468a94c4ac188ebfa02949881c6119294f5f30fe031fe5879fb1ebbdfc889d84c9156f92bc7b8b1ea5cb6d496a2040d7eb9172

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3403a6f715ca40f2c52e359daa620031

SHA1
0849541dcefe82e919b37e4da3126adda5d5f585

SHA256
3701605ece2805f8742d2852f3b59e603056e8256df8bf0e983c02e79bb63f47

SHA512
0e3802f941d516d657503aca84bf78b48ab69c7446cf9469adc6248f772beb7853eb2454387978821ae7142cfb2a225307cf370a13f8a9eb3a99c088a8279adc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
659ab45887870d274ec558e06fdeb09b

SHA1
0e5f0e9a8e424b8d29523250543fbce370ebe57c

SHA256
60d60f21c6b6ac0e2a5665b7793cd251841a016b4ed71a269585cf6cfa8518cc

SHA512
d18285544fd4c6af9262a8f95ba4a31baf0b560c11ddd806d2388226503bcd7e06c7513cc30bb148bcb0f7a1628691ed0ac15386a923fae899da4842c521ef83

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
412KB

MD5
1e0947bbab634582cd28ce31008d2ae4

SHA1
be28feac3e9609069a9ce12636df66a62b043b9b

SHA256
93b1747f5c2341ee385150e3cde42b9dec672d009654031f207a1af7e3b1fd1e

SHA512
9e79ab28204f5b76a6eb1af90fdf56cfcf8331dc0e4dbda0336e41c80aedeb0c07be86b9d3c8340f4fdf896451e82d11c9e62b1e118f0dfb9f7aaa6cd2b679b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e02da259e2e9335ac87bf43f37f5bc0a

SHA1
fc637cb6cc78d2c18ee6794b4c05f90cd539d49f

SHA256
3e1ab5571e9beb16a0cc0f8a3c41d401b6f1f2389e87584fc8d62eee8ba0b917

SHA512
05ade1014773c11b36275a62b27fee044839f8c923a0b36c349daea3125a0da256c9396e7e7ff34c8ab774b201760a3a6b0b2448a431c20dc65a913339c06e1b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
588b39577f4b61ca03b79c29dfc47d6d

SHA1
0c8dee73def7f4ea38777e07943da586a87c7b7f

SHA256
83cdd7906bf43b084e6511ba511a8ff2cb34b43e5bc362bd62281235f9ac9285

SHA512
6367a68e6d4649c3ba7b2680e96bdaee5e0694df2107333f39840bf0ee03eb5bb100a203cfa6a90fa58b4b051413c3a82c01471fcc9331417d0d2662b7b471b8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0885f6394aaa5bf885aaa92fda85f9bc

SHA1
381202f64d432da727719b4c0e38ce455a64b4c2

SHA256
ecfdbfc94df8925391d0a93419afdc98aedeaa022b77a90206005bf43a283178

SHA512
36e350c651823152047dd13ae9bdca174a0dd04c3a8b3391d26ca404737aca8d9fd415be64a68037f1163b39396da3c3bcb4a8fc8fa73fb4d6cc8a12564b2f4a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
50KB

MD5
c054c46a1c9adc101cf21a93a558b714

SHA1
e0b2647c44e06f0903f5c0d7de4bb6ac98e37b05

SHA256
fc32a03ff58634332b3b033870f98c2e115354e7c66b6bc6324c9a946f6c159d

SHA512
5997e388c68fcd3cf9f30f26452bcddd35a10e8aa7dd3ab2daf1007c75446affdf800553b64adea3c6b8e6845a300e813eb4e563798d58d748575885b4c1ba99

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
425b0817b1608d76ce0d81cf5ae0ca07

SHA1
b943a212b28b7a18917216b61e0daaac1f0f7647

SHA256
93618af62bc81ae6608f85d1e51551383357e9e60e460e1bc43b2b8a5a0f9bc8

SHA512
70c7708ab07ac999dabcaf2df2b3a2170b71ede7f48de469293f2c6f269785999f8e085311e5555b858f4e2202f1c35b3665c8d427ae47a1abb1a19303edd643

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
544KB

MD5
9dee6c092f270c758a4b4e11687da2af

SHA1
a468a2301a3a076c46be7fce16e6707515b5ef50

SHA256
f59ef595db5116d3dde195a03f56336e3297267486f52162a5b9631f33099569

SHA512
5405a3ee78f99743ae78e9c68652f4995012fae93b832d134f74e238acc65ff47713de23412fe11e73c27d02568177ceb2d1824537909c64c66b8450ff3b30a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
320KB

MD5
0c9ecbf1abcd2bfa58be44964d9a7684

SHA1
b2603a0e5a3f8969a3ce045727f2016ae1756f87

SHA256
5b0f4fbe11cd8f88d71bcf33137a6b873b2622ef6480ca9f3ec3e8cd048ca553

SHA512
65cfb7b5bc80ff93b2a5686c6f4e63eb92a6c63147dbaa318be0c7c3f6bc227d77052beb0aa9c7bc505b001dd6c0f457754bc77ff4a19ddefb66159d6ae944ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
296KB

MD5
218bf7a52eb258ab295bf8bd6ebe45af

SHA1
fdacbfac97c0bbd46d09a8c03ae0e4b54447e800

SHA256
0c12555d1795cc614ee8ee78f4fa7ae09b5661a981b20a6d13d74b35d11e8e50

SHA512
e266d0d44eb83d20fe0bace7707fab7cdff0826bfe860ebbe5997e936f5598d8aba104c59da3a1a6dcd0959d8caa8735fc00934dbb3534600232437d412e28ae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
640KB

MD5
a202c6fa24ac58614c78b926035c8374

SHA1
a52a30090168de8bbf943c4cc9e27f5e061aa69f

SHA256
deae40d380b0fd23c91a358fe27c89570737b4c1a04d43a9626eabbcb5a01aa1

SHA512
3cc7e7a008c0b0b9abfa587b4229d424a778ef479487308cb733662a96f423a73887551e124635658d8dc4f3574286bc2767c6045274649fc8f2432327054a6c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
311KB

MD5
7c52609765b7bb6a9b8f06321ade7ba5

SHA1
127745096849ab10c61bf694303cc003310638be

SHA256
e8b71f77ec3950c65ac60ce190933eefb9082668e93cf6196ec79c7c4ec37005

SHA512
2dbf0036a662d514a9a02c8ad28499844afcf19ebf0c418ed2703c886404cdbadd869dda97adecd84e9cb96b8d772a348c7bbb81edd96fe559b52e4a21c30047

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
143KB

MD5
68098ffc8742d8797f2859a3e22dc224

SHA1
4513e0de08a44f7d78fe1c26a98b991c03525932

SHA256
b9a41036e044ee928dc16f519aafe09c8804d5d92776861bc14dfd8017b309ac

SHA512
a8021f76de5aa9d4a02fef4c2845afca19bf9906577ddf234845376c05d1fbbaa970d29af0b0cb53b2854cc7f44df57fd95fb12a86a7fe6d533972401500a8a1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
210KB

MD5
33482e3833d36757b040c45e4c4a7f76

SHA1
d46119698731db7fc805910b15aa18ba707f30b3

SHA256
50de76b8330ec8516e1f9703111d20c8cd32ccde5214c16eef31351f6e168faa

SHA512
4fb3ac899fb46d2d6ad58eb4d256b9613179134db41dcfc1ed82c4f8d6cd863d2787f1172e09fdaf6c56ea0ddebbd2735bf2daf82227e3177916105acb017fc7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
8c18c4abbda8866d8e60293f23204886

SHA1
5483b19e8ff9a6f26de44fc0e1f806b459e04f8c

SHA256
647cb1989d2a697931f44132b8dbcaa096bdf2f2163993fd99d767f53955df1e

SHA512
30d5c13efd0dec1405134b2fa1fa9c0a0485a562d226914a90c2ce8015f69167cc7c103eb173b911540393348570d62bd8bc8dff76caf4ae19dddb59b201908a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
de95757d73f8cbd8c0e893020903ca2e

SHA1
9e4b676761fc3cc4e7a9697e8c60b91843885447

SHA256
8933ccc0313035e4f1967490afc6dddaf2e08e679f12a228903393166f565c86

SHA512
96939468b00f00a2f0540fbe60d62fbbf6a9c42ca3f543b568f1988870794d7e67ee6e545bc720fccab58be3f358685de292746170c4ab05225b159cfcf83319

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
167KB

MD5
515a6c2d06a3763197f62868a3a7eb2a

SHA1
3787e6f40e5fd9f212f08f6596d3bc59fe00af1c

SHA256
ca24114b45984a22858a06f45f824af15b3516a486bfb7f8d952e034fe2b531d

SHA512
5c61ceffa943d452725084fcb66ac1cab1f6a30a7ba5aa850e4842ea20d368826f021326c20ab9cb52185d8ed64f73889db93282a26d747981c16cb55a9d251f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
308KB

MD5
f83840007d369a68066037ce20625c2c

SHA1
60e28bde8c460c540e0bcdf83cff590717411863

SHA256
9ebeebc9e2875e1fc533770ad954222dbbe68cf544de074885734e8e055abf01

SHA512
74989026c7d85b1d8d901134b4bae7ba5eb1b1dddb4a00feda1340632d00c67d90575aa04014189c063590e883e2b61d73bd6ea6b5a6557c10356b144255618a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
372KB

MD5
5a68879d55f822561885f18a5041c559

SHA1
4d1b3357168ac6e9c8f05979d488ae223641fa2b

SHA256
73e3f0d5bdfc053c73e0df4bb1fce0fd8a972ca15997abb72780cbcb8e0f88c0

SHA512
8a01864baeb4e5359e532a67f427212a7435221207500b8aeae8807b72f5c5e2b1e6969aab0c7763fbb38671bbf317f6571595335bd50cf67a1d8ae4e27c958a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
335KB

MD5
66da977bea8effdcde1a4781d0bd479b

SHA1
5a3b905a049809e461a3c6af7e10a9ec52d6d2f7

SHA256
979ed2587288abf3114ed665b6f5a4fb7b95592ac055f81d4229f02261e48249

SHA512
58ce0ac395e0e692eb8b8b939ddae56247fd601bcc0047994f9c218526dc86b009e5b1e856d10450046bf4906f797a650f5d1a47b4226601b95a207afd3926d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
84KB

MD5
bdef02b9362534838daca3cda621135a

SHA1
7ae71e5d88ea2334302bc7bdc839d45b53cc1094

SHA256
b75eeaa1e08c3efadaf2d4be18b920b6a190285c17cbffca5a5a2bd7d4b06259

SHA512
feeb0bd82a50ccbd06da1744a7a19886e44a9f20c8822daea2cea586c54c233590da2a6468282991b85cb955d28b5a24724fb3eb25fa2bf8b461a07943ab8822

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
449KB

MD5
16f67e0c0c10be3e1a9e8011c0a278a8

SHA1
f238a3a5c3303e2c26d21282661df6b8cf9bd143

SHA256
92cfad668244bfc8f4d6480e642458d2736cd8d4805a71a18d56d98161937a10

SHA512
d629993b37ea11ed3813bfa6c4258a5898f2ce205dd58e6824ba0eb5b880ba6687d3e78d9c2dea04325ea03f7ab90fb82fdafe8c2bb1696bc893035c65c70d19

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
6433be4ac35f2f5af6070437044f810a

SHA1
c9009eec39505526b8223bbacb03a5568f97300b

SHA256
597471a5a1b8e5b3d51dac32ee4597583ae0a927f40aec722e7ad266a4247ff0

SHA512
810f95c6784df2616aa38a4625b77ad81398ec15ea296d31b5cf3a71299ccd83b20186eec6dcb63feb850710174a1e03c619684acb050c1acfed573aa11594bf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
65a74afaedf78beacf7b895a1ab175e2

SHA1
d37b461f99369f81b22424f611f69597040c9170

SHA256
83be186a873c312aa3ce6c27c7516807024e180cb729d9146ecc139ecd80cc0d

SHA512
9f89f29e788202bf85f63a1393034e94e7c11a268fe53a01d004d9eb93b67b69d1cd6adde6f87fdfee7e73fddffdadc09f4f9108fb717d585d4322c91ff6c301

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
856KB

MD5
9020e3e85244e45fa0c83f7f6f7282ad

SHA1
aeb74a5c39753f23d5613d5412092a17c1baa9ca

SHA256
265b82f019816818bd96e4f161c19402ca94b97accde405839eb33925a620bab

SHA512
aa06ddc94ca3744b9cea35153f581db031a5102fa14e11bbb1d0b41c1bb60da2eec021ce1f348ab9ac71529eecae4faf2905571f32c93fcd16aece7cdde3afcc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
595KB

MD5
64588822f9f554caca5f37549317759d

SHA1
a30ec81693f8269f95fef9258a9bd8e9ba0a4574

SHA256
4928b08febec2319d441902ace2456fb995ed0c9ef2e37b381fd34336d7c86c1

SHA512
dd99d6452b75bca6d3eadbc7175b2655b7e15638b3c8dbb56b3716380642b498c727da97f4a98a3d6bd83a011252863fd6a89eecef6837c734b2bb2846eae3bc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
405KB

MD5
ba0f8aaca2d18c5f187097318bbb1198

SHA1
5580b24ac8d8dd09823bbcf3db9755c6b83af154

SHA256
ec4c8a2bd12556874d43178414bf27388088c99b3b4f30c05c3c88970af67e9f

SHA512
340fe17a9ce028da7e5674453b0b058032b449d5ff205a5cd1dd01ee94e22aa9f91858286a2862df14aac5f3528c2674e4719de9964bb2e4acb9dcdf9e068266

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
14KB

MD5
278749594387d761177384c96f9366a6

SHA1
e9e072969bda62285c913e484b0994b2da6a5366

SHA256
ebcee577721456e060e4dd18fc9bd40d5d9efeef40504719e683e8145dcb0bce

SHA512
f734f5ca8c9f8e6cd238ef3e2705aecd231f044730a6b8d04105a22678958d7d455d30031f95ff0eb01ed3ae373705128c375ea0e4685b8190596e5467a743fb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.0MB

MD5
e41bab68c90f2d36b77088c335306cec

SHA1
7cd567b98fb31e40ec0ddb6394b1666b5bba403b

SHA256
cbf0ccb75f3595607b7e94717b533e92774d53273fdd57835d652e631dc1e08b

SHA512
3f08aaa78c5282c6cdab1864905530114937788e9099620b234c599e01e896d9b95efb088ab30e15835648bc5497dc6b60098fee2f30515489fbc76a34b32466

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
62a4e7cf35d718dac3eaa10a391fc842

SHA1
b1f62e08e9fb8c7f942a90de061aa13d1f221afc

SHA256
e0f88e51c9b245ae1c10b24f9b0b906248b6655321baea9bf5fbba5c1ff37988

SHA512
7809beaed5d36554bb3a8ea521359879b15e732f631f2f6fef7f4f1fa8723e2b21ce09625c70275ac072ff1d30efc9b28c2348092e74f7ed0b1fc93754aa0873

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
680KB

MD5
3551860673043d265a0f79130edaf53f

SHA1
7a665fb10d53f9ec894a0f5a38dee1b42467706b

SHA256
78d480841779bdc87e0dc49b22bfb62856f4839151d33c074c24d77661b0457d

SHA512
c5dbad423b2ecfdc84efa52f9f036b40f3306383575f37a72c05fb7d0c70c2120acad4af1558c9da30c84840d80c79f62b5d0b87c556bc707b09322a3155cd81

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
585KB

MD5
94653a64c74a9397cb8df74406f85728

SHA1
476247342a902a5f8392d7195dc4fdffea083895

SHA256
22cd1cfbdf80f3db2f9f91a4d659c7e8aae4ee6f8e5df335879c08dc6533f552

SHA512
cd2807b88330b8b21aa273a49933701b8768cfbb5ce06c75e4edab12e416a94e36f4839b8586abc39d94cd734b0453339ebda3af956f7e1bfee9e24635ab93c3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
155KB

MD5
2905dc2a1d485ffcec6ec7b13d9da88a

SHA1
127ce2604d615818e57943998ddfa6dcd025c920

SHA256
fc46640c47e5d13d14460ea28f25d143904f21e76becccc1036884b705fbeba9

SHA512
bf4391bfeb36573363331b15b15ea0e4eb0704564e806bf2265a369b0c89f17e27fc95cbd0eaa5328c5c9aff8a9a761b363a1f043518bcf9dc2aa2492ec947fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
850KB

MD5
af2f67fd58413a7e7f5ad8bffeda755c

SHA1
dd503b7d84f311c7ef031dc7ea92e4fddbb95e64

SHA256
b832f067cab329316deac05183e3f31b3ebbbf9dac5f99951f081670e71c4a14

SHA512
691fc45f278d8e12d0f00b60b5290fb9e60addf358f4bd9377b41e8a8646e2811380866357136bd7813b56b05c5784c12603030eda0ac399772a23e442b7d525

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
676KB

MD5
71d65da2c90e7822bb529a2aecbc8065

SHA1
a818265744cf80de2bb7c78bd99251b4b7faba59

SHA256
c4071f0d21d9a4361031b6948409fe7329433bafa9f08e5c27a1b017de200ec5

SHA512
13ce4f90049ddd0ff0774ca9974a364c95f2ca003b4a846088f79d74c91d4ba171a2479df3630bf691e6c7caefdb0d1fa64be05f718a2a90a1dd77d4db2b0db2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
371KB

MD5
124af3209b84a17fe6c2b5cb56e1b28e

SHA1
39f2bf1759007cdcb5a47a4fe246c1baeaeb02bd

SHA256
f522f51d2e22c8634a88ad87ebebf2109e415143b0b89cfa4f89664180b22415

SHA512
1749aa521eba87283a8f1501e4bc0be13a2af1debf13ef7c0b4161fd908850fddbd0306ecc465c5e71740e6bf9ab4ec01b018556a223af408e5374ea687d8669

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
506KB

MD5
1cee14593daf84e7c22651be62913b76

SHA1
8993f3f2462ff6b3e9d5c815794d967389bee27b

SHA256
2ebb28e6d7cc18f45452f1889286b7fd5473a780ab8cdd3352ed3871714051ab

SHA512
07727d01ff9a895ca2618075815416df294dfd7af9b77afb3104d2be05e2907655419b241bd84451f0910ee18bbec32052dbe23504de0ac34e967fdbad0d4651

Download Submit
C:\Windows\System32\alg.exe

Filesize
194KB

MD5
364f2e3a801b07b67dc2c59a61117390

SHA1
f073c0fa583bea513a48927be31c337e61ee192f

SHA256
ae03ec9b49852717dbfef0b24d13ae9948f8616dd49c96bd37d8dcf657325aad

SHA512
154b4a6fae5994a09c2769eb5d233b5edf44906660eb2da9e192912ef1520f9f7f8acb4da6f1b9af0a6afd44b0255e19f3766302837c114ed09ac94074307384

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\040046a7f01fca2bb909fc1f64c03a2c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
ad9cdead1b7f9cc5105127dc77b1c1c9

SHA1
6269b03dd1f5017411cf3efeefca433aecf51a53

SHA256
849ce74dfe25ef1841b49c3d7977819c72e22e699b25450e852d9aca73518aba

SHA512
5215a58074936082a77e69463a2ba0be9c00309ddd4d86193b573d3186c85516c72a5f6a7ca9ffba30b356be0e151da21b5918875d79edb35033adc89254b27d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\16332d35f8f480baf05ccf1e91ba3637\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
65d8392202cb540f90192f1d5f0b1a4b

SHA1
3bd6282561dc417c66c701be6a2b3ddd4bcae807

SHA256
2abb114a0097d66f244278b458d548ab5bde36dca3dd31e30def699940070dac

SHA512
d2962df4cca31a369fbea13598ab3499653bcf13ace5d5713f5e388c3484c6dba32d0cb7ec7789253201e37d403a238ca5ed3570882bdaeabdde5436cfb69d05

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\181e6398cf4b580d158822d529979803\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
bf8223fa909f39a96b3f8509b5af21e9

SHA1
ad4680c2f51cefa3725337e473633e5b2ee7feaf

SHA256
1ce7e2e5a08dad525a2b93fd6a95afe2c20a5d6464de0fa4a3df441dc606cf70

SHA512
b3afa95d3c7e60714a6c7d1a7415fc41c064c66e5cdc2f88a66c7481e07ad4046d9168ab4658ed86f48ea20ea0a90d31ebc44c9f9b5da304b87db4ca24f66380

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d20ab601769579fb47bcfe5d11142361\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
627ee0c9c42050b8195a1851034b2b79

SHA1
a8b979a47c4f0a808e9aafbff332237c11e9d49a

SHA256
4ac869bb7939f9791816263c7cc4ece84b998d8a81386bf602f3d15226d1690d

SHA512
1ad538694c87afec3143238d969f77c0421c081e1b475c4e3d76bab0319b7fb83598244bec12daa9fc2d66db487cccc959bbd991bc47265a2a74c73abef564ef

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
8d0e3b912655789464c4f29b74ccbabd

SHA1
a07203da7c9e308a9b5d7fd57293ff0aedf60b6c

SHA256
bfc66b3ffd6c419c1bfff38542de7ebdf1ea6d376e060dff747189c01cb19b77

SHA512
3b781c29397255938d8234a81d5fddeda7fb9936c5515abe3f7b2910d0e17c104023c1c85b84357176f3b49941dfdcc3cd90e8ba2c6aad737f08353dac467cf5

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
45KB

MD5
297a22b883d166904f9fecb07c0783ee

SHA1
7cb12901a6dbe6d8e9caf035712d7b28e9022d68

SHA256
635931cdf35b26e2af18d8ccecbaf9eb81d915098da21c23b3de498b7d3f6bcf

SHA512
f6b4de53c442c12f9b3623ff21ec54205c6cd8959154d4b556a5f8c3e1e9fa3dbbed04b1010412c65e4abf81d3be22af1a7a8d9624e030599688db516fbc806b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
5ffbc3866e950d1a896339a4275b4201

SHA1
400d77d1b31dc563b08bf6d10e861e9ec1610cc7

SHA256
15f60b9f4cc0507b1b0641cfcb8c52d804d786fb027d4b4ce9e21d9eaa03708d

SHA512
7f23eda1ad3ce06fe9a427f18202e6409fe528dc051d2e4f5a6284a86349462eec76d11c726c26343960d0b7177b72b06df9d50a3bba24ad3330210c0fc3cec0

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
429KB

MD5
b178a7048ee4f27e5247f33e3cc43d50

SHA1
c09a1f32942019587e05be5237e04a118982bc70

SHA256
b5036119bf167a4ba48e20d5dfb4607193217bf2ea9727781c2e5a1a83d64bca

SHA512
2685f7a7ee1e7435a4c75edaa4aaaa2f894391884c04d2375234fc2a3e356a3ac9b6f51130ecfe1ed450eb847046cbb10df111e985cc38ad081bc88dad750293

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1006KB

MD5
8af606c9dd9c55869c858b0f986490e5

SHA1
44307886c66bb56451739a9e7931fd57ae0a0693

SHA256
dc534f79f2ba4c2d13a1463ffe2ec04641553f22af732d6107657a7b651c471e

SHA512
a84664e86e2b49309fd785b0eae123051203fa3cf9061749da19bae46fc67f8909a1375139c4c499f7679a6dd88719eb6a5383628051c21bd6eb98c3a3fdb860

Download Submit
\Windows\System32\alg.exe

Filesize
218KB

MD5
9c36152b7651403561fc82645f1d1278

SHA1
a98f9ab6637e3021c96d8f61043a87a8059c9523

SHA256
c012e221f7a06bad58eb086ad63248ff72be2984d2cdd658c7dcc420fd421839

SHA512
5656cd28e60dbdc60e5d692b3e0d30deac46023d1345264acc9142fefe0604264f41d0548188a9cbca697ca3d7ed90de0c73625c2779cf6da54e07f3dc112d75

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
025fdcc22614791a175d672cbea780a5

SHA1
3282026d4abaadc918b7e0ee67b00bc5d0cf441a

SHA256
23c1a7d7a9540c811a232b050881d179c31dc2a981febac06d3204b53e82e0ba

SHA512
326dcaa3751d33f7c3c45be5a666d1f5f8d74ba23c8a8cf8599bbac48a16baa169b8c982880665ea449063f95cb8cf5e3489dae70746f2ada62de2ff66cec178

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
110KB

MD5
3beb840cbac7894be1cd14020f996b8e

SHA1
be2e9e494f8f1c1b2cadde1ac3ebfd5c25f8163d

SHA256
fcfd54554f44b05065c82e5137ed2a00db1e90c9f84d748d7d03364ba04f9d47

SHA512
b573046127dd4b0fb1ce298ae8228f024b0230eb8962d45b92e65044170a9e1874f83ab443034804fc6ddb448196d1aff30aa098ea3efb29b19aeaddb679468c

Download Submit
\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
02ded3447377c0237f5b36976f385770

SHA1
509ff74428c7e3ae3d91fb335aa71911408eb669

SHA256
bffd98eb3497f47911df5ee274b038c04f503250d703a637240bb351b218c494

SHA512
f9b235dbddf7ab03f72a2692e9eeb012cf0aa33eb67d8e17c0e8a5f4cd20087e9e511e69f154bc758fe31f126110360e649112df9818906c0b204cfdba0ffe73

Download Submit
memory/1108-320-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1108-144-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1108-143-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1108-150-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/1152-269-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1152-134-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1152-127-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1152-128-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1676-421-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/1676-502-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-504-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-493-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/1676-315-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-323-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-316-0x0000000000C10000-0x0000000000C90000-memory.dmp

Filesize
512KB

Download
memory/1868-125-0x0000000010000000-0x0000000010125000-memory.dmp

Filesize
1.1MB

Download
memory/1868-104-0x0000000000970000-0x00000000009D7000-memory.dmp

Filesize
412KB

Download
memory/1868-98-0x0000000000970000-0x00000000009D7000-memory.dmp

Filesize
412KB

Download
memory/1868-97-0x0000000010000000-0x0000000010125000-memory.dmp

Filesize
1.1MB

Download
memory/2024-162-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2024-174-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2024-492-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2024-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2024-248-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2024-168-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2024-333-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2024-259-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2152-537-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2152-529-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2152-539-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-538-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2152-521-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2152-532-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2204-261-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2204-264-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2204-498-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2204-271-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2328-508-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2328-256-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/2328-509-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/2328-175-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2328-255-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2328-420-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/2500-114-0x0000000010000000-0x000000001012D000-memory.dmp

Filesize
1.2MB

Download
memory/2500-136-0x0000000010000000-0x000000001012D000-memory.dmp

Filesize
1.2MB

Download
memory/2516-550-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-548-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2516-542-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2580-249-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2580-0-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2580-6-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2580-142-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2580-7-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2580-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2588-319-0x00000000003E0000-0x0000000000447000-memory.dmp

Filesize
412KB

Download
memory/2588-326-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/2632-305-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2632-304-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2748-288-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2748-499-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2748-318-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2808-38-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2808-160-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2808-13-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2808-18-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2840-317-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2840-526-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2840-528-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2840-531-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-512-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2840-517-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-94-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3020-173-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3064-330-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3064-335-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3064-334-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/3064-519-0x0000000074378000-0x000000007438D000-memory.dmp

Filesize
84KB

Download
memory/3064-490-0x0000000074378000-0x000000007438D000-memory.dmp

Filesize
84KB

Download
memory/3064-505-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download