614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
Size

1.8MB
MD5

99082dbf332838681ce39f9daf760ddc
SHA1

005846371ae83e62f42e1aadc6fd671ff0401eea
SHA256

614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b
SHA512

5c69cd0cd7b82d05818c3dc15e3f46e6565c64a839f3e65ffc5240fe018e361483548ed599ee8846345867b96e68827cd9a768b5afe5dc214ce9c1d81743b4bb
SSDEEP

49152:Xx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WApgDUYmvFur31yAipQCtXxc0H:XvbjVkjjCAzJ3U7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2732	alg.exe
1040	aspnet_state.exe
1800	mscorsvw.exe
1572	mscorsvw.exe
2304	mscorsvw.exe
2368	mscorsvw.exe
2256	ehRecvr.exe
588	ehsched.exe
1620	dllhost.exe
2700	elevation_service.exe
2888	mscorsvw.exe
2100	GROOVE.EXE
1840	mscorsvw.exe
1272	mscorsvw.exe
2308	mscorsvw.exe
1684	mscorsvw.exe
1608	mscorsvw.exe
1996	mscorsvw.exe
1776	mscorsvw.exe
2432	mscorsvw.exe
2112	mscorsvw.exe
2196	mscorsvw.exe
988	mscorsvw.exe
1272	mscorsvw.exe
880	mscorsvw.exe
2332	mscorsvw.exe
1424	mscorsvw.exe
1628	mscorsvw.exe
2784	OSE.EXE
2792	mscorsvw.exe
1152	OSPPSVC.EXE
1560	mscorsvw.exe
2788	mscorsvw.exe
344	mscorsvw.exe
1596	mscorsvw.exe
1840	mscorsvw.exe
1352	mscorsvw.exe
2948	mscorsvw.exe
1172	mscorsvw.exe
1084	IEEtwCollector.exe
1312	msdtc.exe
1736	msiexec.exe
1848	perfhost.exe
964	locator.exe
1608	snmptrap.exe
1652	vds.exe
3004	vssvc.exe
1724	wbengine.exe
2520	WmiApSrv.exe
1708	wmpnetwk.exe
1376	SearchIndexer.exe
892	mscorsvw.exe
2676	mscorsvw.exe
560	mscorsvw.exe
2920	mscorsvw.exe
2124	mscorsvw.exe
1468	mscorsvw.exe
2132	mscorsvw.exe
372	mscorsvw.exe
2168	mscorsvw.exe
1696	mscorsvw.exe
2728	mscorsvw.exe
2004	mscorsvw.exe

Loads dropped DLL 37 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1736	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
764	Process not Found
2124	mscorsvw.exe
2124	mscorsvw.exe
2132	mscorsvw.exe
2132	mscorsvw.exe
2168	mscorsvw.exe
2168	mscorsvw.exe
2728	mscorsvw.exe
2728	mscorsvw.exe
1948	mscorsvw.exe
1948	mscorsvw.exe
1780	mscorsvw.exe
1780	mscorsvw.exe
2908	mscorsvw.exe
2908	mscorsvw.exe
1020	mscorsvw.exe
1020	mscorsvw.exe
2044	mscorsvw.exe
2044	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
2240	mscorsvw.exe
2240	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\db362faed795e6c9.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_ca.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\GoogleUpdateSetup.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\psuser_64.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_hu.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\GoogleUpdateComRegisterShell64.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_tr.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_uk.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_zh-TW.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_pt-BR.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{FC7689B6-53F5-40C8-A6C9-065A975C439E}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_et.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_es-419.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM363D.tmp\goopdateres_el.dll	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6401.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4D65.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2674.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9B81C758-FB83-499E-B73A-C48BCDCA44D5}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6FE3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F80.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{3BFDF53B-700D-45F2-931B-3A3B2E91BBA7}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{3BFDF53B-700D-45F2-931B-3A3B2E91BBA7}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2952	ehRec.exe
1040	aspnet_state.exe
1040	aspnet_state.exe
1040	aspnet_state.exe
1040	aspnet_state.exe
1040	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2928	614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: 33	2904	EhTray.exe
Token: SeIncBasePriorityPrivilege	2904	EhTray.exe
Token: SeDebugPrivilege	2952	ehRec.exe
Token: 33	2904	EhTray.exe
Token: SeIncBasePriorityPrivilege	2904	EhTray.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeDebugPrivilege	2732	alg.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1040	aspnet_state.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeSecurityPrivilege	1736	msiexec.exe
Token: SeBackupPrivilege	3004	vssvc.exe
Token: SeRestorePrivilege	3004	vssvc.exe
Token: SeAuditPrivilege	3004	vssvc.exe
Token: SeBackupPrivilege	1724	wbengine.exe
Token: SeRestorePrivilege	1724	wbengine.exe
Token: SeSecurityPrivilege	1724	wbengine.exe
Token: SeDebugPrivilege	1040	aspnet_state.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeManageVolumePrivilege	1376	SearchIndexer.exe
Token: 33	1376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1376	SearchIndexer.exe
Token: 33	1708	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1708	wmpnetwk.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe
Token: SeShutdownPrivilege	2304	mscorsvw.exe
Token: SeShutdownPrivilege	2368	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2904	EhTray.exe
2904	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2904	EhTray.exe
2904	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe
1636	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2888	2304	mscorsvw.exe	40
PID 2304 wrote to memory of 2888	2304	mscorsvw.exe	40
PID 2304 wrote to memory of 2888	2304	mscorsvw.exe	40
PID 2304 wrote to memory of 2888	2304	mscorsvw.exe	40
PID 2304 wrote to memory of 1272	2304	mscorsvw.exe	53
PID 2304 wrote to memory of 1272	2304	mscorsvw.exe	53
PID 2304 wrote to memory of 1272	2304	mscorsvw.exe	53
PID 2304 wrote to memory of 1272	2304	mscorsvw.exe	53
PID 2304 wrote to memory of 2308	2304	mscorsvw.exe	44
PID 2304 wrote to memory of 2308	2304	mscorsvw.exe	44
PID 2304 wrote to memory of 2308	2304	mscorsvw.exe	44
PID 2304 wrote to memory of 2308	2304	mscorsvw.exe	44
PID 2304 wrote to memory of 1684	2304	mscorsvw.exe	45
PID 2304 wrote to memory of 1684	2304	mscorsvw.exe	45
PID 2304 wrote to memory of 1684	2304	mscorsvw.exe	45
PID 2304 wrote to memory of 1684	2304	mscorsvw.exe	45
PID 2304 wrote to memory of 1608	2304	mscorsvw.exe	46
PID 2304 wrote to memory of 1608	2304	mscorsvw.exe	46
PID 2304 wrote to memory of 1608	2304	mscorsvw.exe	46
PID 2304 wrote to memory of 1608	2304	mscorsvw.exe	46
PID 2304 wrote to memory of 1996	2304	mscorsvw.exe	47
PID 2304 wrote to memory of 1996	2304	mscorsvw.exe	47
PID 2304 wrote to memory of 1996	2304	mscorsvw.exe	47
PID 2304 wrote to memory of 1996	2304	mscorsvw.exe	47
PID 2304 wrote to memory of 1776	2304	mscorsvw.exe	48
PID 2304 wrote to memory of 1776	2304	mscorsvw.exe	48
PID 2304 wrote to memory of 1776	2304	mscorsvw.exe	48
PID 2304 wrote to memory of 1776	2304	mscorsvw.exe	48
PID 2304 wrote to memory of 2432	2304	mscorsvw.exe	49
PID 2304 wrote to memory of 2432	2304	mscorsvw.exe	49
PID 2304 wrote to memory of 2432	2304	mscorsvw.exe	49
PID 2304 wrote to memory of 2432	2304	mscorsvw.exe	49
PID 2304 wrote to memory of 2112	2304	mscorsvw.exe	50
PID 2304 wrote to memory of 2112	2304	mscorsvw.exe	50
PID 2304 wrote to memory of 2112	2304	mscorsvw.exe	50
PID 2304 wrote to memory of 2112	2304	mscorsvw.exe	50
PID 2304 wrote to memory of 2196	2304	mscorsvw.exe	51
PID 2304 wrote to memory of 2196	2304	mscorsvw.exe	51
PID 2304 wrote to memory of 2196	2304	mscorsvw.exe	51
PID 2304 wrote to memory of 2196	2304	mscorsvw.exe	51
PID 2304 wrote to memory of 988	2304	mscorsvw.exe	52
PID 2304 wrote to memory of 988	2304	mscorsvw.exe	52
PID 2304 wrote to memory of 988	2304	mscorsvw.exe	52
PID 2304 wrote to memory of 988	2304	mscorsvw.exe	52
PID 2304 wrote to memory of 1272	2304	mscorsvw.exe	53
PID 2304 wrote to memory of 1272	2304	mscorsvw.exe	53
PID 2304 wrote to memory of 1272	2304	mscorsvw.exe	53
PID 2304 wrote to memory of 1272	2304	mscorsvw.exe	53
PID 2304 wrote to memory of 880	2304	mscorsvw.exe	54
PID 2304 wrote to memory of 880	2304	mscorsvw.exe	54
PID 2304 wrote to memory of 880	2304	mscorsvw.exe	54
PID 2304 wrote to memory of 880	2304	mscorsvw.exe	54
PID 2304 wrote to memory of 2332	2304	mscorsvw.exe	55
PID 2304 wrote to memory of 2332	2304	mscorsvw.exe	55
PID 2304 wrote to memory of 2332	2304	mscorsvw.exe	55
PID 2304 wrote to memory of 2332	2304	mscorsvw.exe	55
PID 2304 wrote to memory of 1424	2304	mscorsvw.exe	56
PID 2304 wrote to memory of 1424	2304	mscorsvw.exe	56
PID 2304 wrote to memory of 1424	2304	mscorsvw.exe	56
PID 2304 wrote to memory of 1424	2304	mscorsvw.exe	56
PID 2304 wrote to memory of 1628	2304	mscorsvw.exe	57
PID 2304 wrote to memory of 1628	2304	mscorsvw.exe	57
PID 2304 wrote to memory of 1628	2304	mscorsvw.exe	57
PID 2304 wrote to memory of 1628	2304	mscorsvw.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe
"C:\Users\Admin\AppData\Local\Temp\614a76bd6606b2f493d54cda015ea9372b07a08708c803cff98167e0062fa86b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1800

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 250 -NGENProcess 1dc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1e0 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e0 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 240 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 1f8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 240 -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 27c -NGENProcess 1e0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 1dc -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 278 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 1e0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 1dc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1dc -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 284 -NGENProcess 298 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 284 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1e0 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 2ac -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 28c -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 23c -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 1f0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 21c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 244 -NGENProcess 21c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 21c -NGENProcess 260 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 21c -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 1e0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 258 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 284 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 278 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 298 -NGENProcess 268 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f0 -NGENProcess 260 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f0 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 284 -NGENProcess 1dc -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 278 -NGENProcess 2b8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 128 -InterruptEvent 298 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1dc -NGENProcess 2c0 -Pipe 128 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1e0 -NGENProcess 124 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2cc -NGENProcess 2a8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2cc -NGENProcess 284 -Pipe 124 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1dc -NGENProcess 2d4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2dc -NGENProcess 2a8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1172

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2256

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:588

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1620

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2700

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1840

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1152

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:964

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-928733405-3780110381-2966456290-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-928733405-3780110381-2966456290-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1740
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
93KB

MD5
d7f9bc63149bfc772237ab45eadd5503

SHA1
4c61623931603ebe5e31edfbc83df962cc386ad1

SHA256
f9b1c160ad097c4f48877e413bcb331b951fe6888988b308c04a6b30cdd1fa66

SHA512
cc92bc95e6104c56a5850e0cf91b0049e6bafea583cc49b9103c977500693081765c5f53bed0b54eca7a329e75e229f09d351847d918d87e7019a78c07a99e5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
934KB

MD5
7ed496d9cb3ae7fb812db42b1eb0247b

SHA1
42cb9c439d2b7a8214976d0b82711967119aa271

SHA256
2e85baeb3b9b4bd82e6613207ef37cd9a53d311259d90487f75a0fe5476553ec

SHA512
0d076e9eef9af2e83053a718884a847f3406f15b07b71eb922d53ca280c24be6041dc9c00ee40a557fdcf5c46c44c87bd6ae5da2fc07f7816af1fe442f92efd6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
626KB

MD5
c3e30383ab75e42354a65364e9939eb1

SHA1
c6f47290da71387ddb01a50e24878da7b884b679

SHA256
f714194a460136299849a9b22bcf1046fa7063f2d49f3151f4ab8b2260bc86d4

SHA512
167616fc013edd94fb583db29ea69bb783bc7817357e66ef5bf46c2d44706cc54d723653b923395d4a0c443dcd94fd090eb0db551f777350def9736e9609a35f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
12e2bad2a4efd7ba5e251f291e958f31

SHA1
e26e4965b3ec9f96daebf52234d4479eee3f8a8d

SHA256
6f6eccbd1b43c94d90a1e990df4c74ac7d576e833fe7fb240d4b00f89efdc159

SHA512
f347e92d4135484761d675105f59ac8ca5fe3b85ab1e219afd6322287392a78c2b870751d9603fb0e63eb438db86d7220a7ff51f6437ba1eda55d4a53d8a427e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
45KB

MD5
b7b29362a3967bb50fa91a94de7282d9

SHA1
758b1280762923ba2580824da0da25d8625d9881

SHA256
851367b8cfcfe38f3e4483e4595e957fd414ee27279b6311c380f8d698fa6b79

SHA512
952818529cf57b8e4138b71d2783b3a862390991e5e53a53e8b1e894de11de5ec627fa77a5a80feca53e4cca0c7595dbc10082799480e2b8e485bce8b0c7a0f6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
e83b8d61472625f141f8738c9a29d046

SHA1
d6cc3c61f916adf4817fc38c2cfce51d63446c55

SHA256
2e99b6c980444935ea75b412340adf54dca0d8d021e787c5717f4f6836b04088

SHA512
fb17677d370661d7279d49db6b9fb3cc4f60b230e7e5168a7c25840f23c2685a0752b8c16f419e2bd80c9efc5092b5c7a38ac6fe1e4013296cf2ed5205270e1d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
9e9d72969d965c1615f09faa73ab76df

SHA1
23a7710c4ec37dbdce7d60d42ee9abd465cdf271

SHA256
77d9cc94276255e232b2073405878f98b611a4c34a181a3627c8b234d54b88eb

SHA512
0487107e9ddb85f752837779dd1ffef89a079064179d05afeaea1bf0e633ef9e418d1a76d7dedf2711a53e932f7f180a7163f9d0688291c59b5aa9d6488f7a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
91KB

MD5
3918c62a66c944ad209bb0ba7b10cab7

SHA1
1fa06b321c6d1d181f37caef5217851d559ba867

SHA256
54f967bad50ec2ff75fb8140727b2ae5b8896b3c2a26964690ff4285ff5eecc9

SHA512
fa5a17970ec0faa90a2608770227d3e94ab8f9db185c092d05c61c80b18879345ae04f1171697ba015f27793934a989db2ea8bf448a5d08c83d16e0f443a4d2c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
82KB

MD5
10781e1b4672fe3b91e9f97f0c5318fb

SHA1
ca8c1b419bc61b61bf9fa8fe003c5db604a69e2f

SHA256
2d10e5dff9e6b179d47ec40528bc2b99ef28c76d664d42a48d69b760ee6d699c

SHA512
7472687e6b1948d5b91048b2e76b10bf35de7d5526c63df8ae5d0ebe24cd360418b4b56396bd0d92673c254a226928c93f7dd40a399b4f9030688d08a5c8b86a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
45KB

MD5
4d32f0fbc35661f11ec6ed129cad9459

SHA1
116d1901e0353351c21267a843bbe6358a7899e0

SHA256
924dc2bbcb7b93abe69f5d3d30e014f15d0bb8cdb34b09932bcdfe861d5559aa

SHA512
cb98a7e947aa5cb72ebdfc14870894b3c637231752cc897916573e3919f10c09713ccb37a1f2135e4e5d06d5fa1ac6c3a44f0d52bddfabf921da287b8738c2a0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
535KB

MD5
4a3f98d1548927d2a66c31ad74236ea4

SHA1
8d33c534cd0e8d9fc91d376e6abbbe18350cea07

SHA256
bacda3b39601a7c2767e3deb3cc60c5d2b5e11e3a7b3f5f35039bacf1404d4ce

SHA512
ba1b491233199a6576fbdf555d485e1d69010009e74dcce82ebfecb2c72ceca813bc295f1e012e895fd53f82f0cf89369ab6367da6d4dfab0771a62d8a675656

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
25KB

MD5
f42cc99d44c07eb4384bde4ca3c5ec13

SHA1
e7d1ddce3e33b51e591b01cee908ab6751328ea6

SHA256
253bf9fdb75a3ffcef190606f9b29963ad893807d7e4a91773056439cba8d406

SHA512
825d1d3eacc61877005a7c378c9e4b45bbd9dfdd5feafb2080ff39ca73b1b339f70d8c494ebdd8519e28740b6663bac0e45de5aa0a20069fb45f51ffe1c805bc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
111KB

MD5
9e3041e702ee940bcb85cc729d0c80ea

SHA1
51ecb749b38b9398f3c09761062dd814074bf2b1

SHA256
885b31a336ba5eaa05099c32516732313c036f9440bd2cae37ef99186cc0f2f0

SHA512
59d551b90643d4b4d86e0fdd3bf56996c5ec45f7d1e5d6b3796aee9692033961c5f23f009cad862fd17339e506d6e0d1ea94103837d03ddeb660ec687a2bfd10

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
436KB

MD5
36c884b0d914cbcb88812abc651c6522

SHA1
a108119882c0b898db994c8261ceadeaef76409e

SHA256
bc6d6eab80e7721c751bf483bee2f406dc6f3de509dc7bb5f92ce428adfa741e

SHA512
c869c8cc8703b6ca39ec1837d6d89783a1c6f4aa14eb426744e0b2ede726694861f96676e6e9aaa8858e018098a86432fc03ba20f53b6df40416d856865f993c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
242KB

MD5
8f7a14bfbba1ba8b41a4f396eea6b119

SHA1
411d6837d06bfb6fdae93ea968c6fdbe33eeabc1

SHA256
297b5911065fa3090a42bb32f66b53419633df01ca35fd9f47e139bbc6cf89e7

SHA512
fde1cd4ed4dc021780ffbf774284551a7a108ec2842a8abd694aae61c5ceba294b579c5a281fc1fddc521e7e28c241bdb7b28a6cdf55636a3e7e83c1a9885d3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
257KB

MD5
767af6ba93d7e1d0a579317b37e081d4

SHA1
ef7ea6ae30fe7628648a7bfb593372e6ed8069d8

SHA256
ebfb13a29ce03e5e27bc6ea2dd712d04f5704622ac2cf929b7d46397cecce8bb

SHA512
bcfaa94c3f5aea22097a4cec06c39830c994b992e26dc7a5c92cdeb16922d4a0f7ee34843e8522960eeaecfdca84f33af77f06b106ae45d139625569b72e0b92

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
100KB

MD5
e53d1e7a39933ef0e4759f7f91981614

SHA1
90b9af244874eb7a54b0495aca1ffbc751f4efe1

SHA256
f07d2e145b32e3d19ac0d925713ac039227394470c0d3ba319144d99e10b3d73

SHA512
c08d79a728a15533b7917270612e9fde2a4ffb0fea71ab1274633655dcf596cf6b8d9bbb48f028a21980dc9eb80e52f29e801a11bcea360e4ae5f901bc03ab3a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
124KB

MD5
8db15fe43760b9fb2e02c8b8d2d3ea74

SHA1
a948daf02c792dde31aa2e2c6ed3031e3bc82447

SHA256
816692b03bc6c4f2acde2a53069eb5a5f3b6aba8f86524756c8e5b651b774f31

SHA512
61c3953ea7ca1d2dbe67c42dfbb9b4c6335b6fa99af874c3ed9e588313656b31baff00a42b21cc4d2fc61b31d810c67608300ab65b3b635f3748077480b88601

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
91KB

MD5
73b381a18cdd8a95641afe4ff898e321

SHA1
5664ab292dd57b41101d5a7c9eb57a3422f2a7c9

SHA256
6be6e2e3abea09d4bccd79158ceea7a17da4975c0463e76b022b1c490c182efe

SHA512
76bde82cd126f388d49c171c1ee6ea925b6a6f7dc406a1494fd9390fd11a82411a6fc09100965c771bbde45fa23f71034afc18da17f044f85a642d974500e297

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
136KB

MD5
a2662104e5637e2d792de2b40a0e96e3

SHA1
c08c4d6b3192804f3a8cb2e08017a8c3e055b259

SHA256
8da8af93d280c59175b985837029228d4489bd63b908051cd408a445e473e645

SHA512
5d3dcaeb49a8c76a9169ff07d13ea228352b10a0f9322d4795b7be9ad3ec0c795775088b02a182767556fa294154307229d3c90b1488a3c39c70714704676994

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e542eb7c196830f4c541142b484fdc98

SHA1
ebd92d608bbb2cc6bf2b106abd6109657137056e

SHA256
3e783970fb04c9619c5322d8214c9a9fe5146f30ab32c517c04b4d8e34f2e86d

SHA512
67dac05fa7d32300902b3580e2a6299c4ea58b1aa662d52b7e5554dba7805c125bd6025032f335d33f8604ec3cf1d98f9bab53da6f2a9613e7f9ac5c6e80ae94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
126KB

MD5
db609329a3ef8f17002767de33dca64e

SHA1
a1368590512a8bc08684a049693c1ed00d05a5f7

SHA256
0c7e191ffde7d54f2ecb0bf5ff72d083f3d50c032e8d4d7fffea0e2c6798aa68

SHA512
cd7d2d4a46673c959107a9e5733d59a301c958c45b9ffd3a8cc07476a53e3c78c39c869e93f82fdda6ac398616efd7fa04d9ccfb62ceee45bd46cd2bc5e47ade

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
332KB

MD5
3c1db2a75bc0a5c754c1ba1fa25a71c3

SHA1
2084be86dacb1c0219a8e58c78038229e46b2c0c

SHA256
9bda4c754280fde257f5ef3bb77737ff4872719b832d3141cb4e6006d5001631

SHA512
1c0f54d7a3a8df2a04cb7796bafdef358e9550e2afe41df3be7686e1a4b4e3152b3b7097a916a61114d68a2ed7ed6ff4459c3fd8fc15d6f1f3d295d281830618

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
194KB

MD5
156ccdcb9e4d3358a4fee372ff10fae7

SHA1
982c2bdae8ac49e507c054f5f0ebec488684ecb6

SHA256
cf8f5433997a74f9c52e005ff4ad89fcd0edba085f04e7cf9385e67dcf7f50b6

SHA512
e4f278f3f1f55dee269cd950bc2ae9489c4f227ce4e69c961b078f14330c2c28a60acd729e3b16062e6faa7e745ef248f73d01e9bd30e813ed475dfc710d0b11

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
121KB

MD5
830786c719d4ce5a873660d0578dfe21

SHA1
cb0dd689bab745003270c9d689e9c5bb3e1ab8d9

SHA256
d748de372d2eda34bb40e9abdb63b50e65815e66dfbe27a8be6edd870146a0b2

SHA512
35e28674544f6ee3499454aa95278ac982a1ec291a123bbb90456a316bbcfee5fcf562e720aa9198705d48179cdf956329f49235996e397dc17fc2da19338b8f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
122KB

MD5
d3936215b4afa6a506426ffe19253ee7

SHA1
624f02d67d6635156370892ca6876d7c730600f8

SHA256
2a159ffb1d6574dd25c83f22364af56939ef53ee87ebdf3c188a2f4108075e40

SHA512
b50577892ac6364109347390ee2f990dac40b1665e4ebdb71a5aeb859c156b278e31de4407db9be0109983098a39d573999c3ae0587528411db165a29dd7f639

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
7KB

MD5
ce03102f72117f74baadacf3ea026c9e

SHA1
57d4f4d2e24729c8c6155e702ba642516747d149

SHA256
4457f7337dc05ba327134b31b729bbc4c1a8bbe1678d205fff760a7187b046f7

SHA512
f0213b5a9ca091e8c9ebb700bf46d5d9fdd4a439caf1e540e0ac4ef3739c5bc54beabc3ee2d68803a7bb09ade0e216040ee395dbba7b807a81b482653421e37f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
110KB

MD5
59cd98bccfc6191fe67f068efbe5a15c

SHA1
854a1aed458101d6673852a222bb4c0b657c0338

SHA256
7c034ed898c064b483a1ac5f632c8cecdc40648d43182c9dd0ef035b8aa36f6b

SHA512
9ea2da332a6e44d1a5aaca36d09364ccb88b34de644da80722a8daa545bd8aa0b675c3bd57648102067fd6a14a06f7be9733a714124d5e169f53bd863bd0ddc1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
84KB

MD5
34251e4265d0b63149e388bd789b3369

SHA1
66793caa704f9a3295de9697d6a4b260b409be06

SHA256
90e633268998a09493abf233cdd09d1ca633f50620e913c7961a6506351051f2

SHA512
546f4f0caa379c080f9a9a202d550573e7c15a378125ccfce5af63c1d1b87d8c5b834a70992711e8342f548e56eb1a9c22ac7f49c5e22ec15d977836b73c3784

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
362KB

MD5
10495cc2f02ce244254f610cef4bbda3

SHA1
4838d3cc8f4d66b15516569c7ed91d2ece6880c3

SHA256
b36b4ca9a76a3278760e9824dadb85dfa2564296147e6ad1b3534842cd962d6d

SHA512
4eab380618d40f53a132ce683329c99b83526e0655db35854eb1d3e50d783bfcf66f22f7a980c4a2dafabc9105b490c1c62eb8c0d4e27308f6e669bffa24271e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
281KB

MD5
bfcc0f8dc5410ef618af3497fd1da8b7

SHA1
d56402160b667a527bf71cc663e4369e45606e5c

SHA256
d9d578ace6cf9b4b758a0874ba69f18f33b1d3a605557761428c899348f1a832

SHA512
c4d24b1c6c9db08b5865aea8063f77e375bb5a6dd305b2e852c8d43f03dc03af1970fcb6bf9b9f0bff04d0cf8ebc1a7b0b1d4be30b500ef35b6d372518fb8145

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
81KB

MD5
da90cbec1503d157cffcc3adc9ce2fe8

SHA1
0f4597d48c0303654b776dacc48a7b2b47a806e7

SHA256
95c6980ffc278e0fab00b0c6e80f247e5b29a9af0d88ecdb7f70457ff8f6645f

SHA512
b24ae97def475385eacd8e0192d9dc3b28a5a43da6f378b55665e7382c5d40eb97d0e1e7289eb6d55e52b395b92e589891560f8bfbcf3edc7421a0d2427b169a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
299KB

MD5
3d87d2212c345d4bc10d2bf47cbb13cd

SHA1
be81f9568d549627ccbf4defd4abaf07146ee717

SHA256
01be51699e55224db6d0b400783b97c81b5036d657130571237417c03857da16

SHA512
d718a4337584493e23b094ca85f48835b165ab4fddc7477c5283e370fa5f4e43057a82b9a871053674838c8d0bd102b777d705dc1adc4254c88ae9c0ca7eb7ee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
87KB

MD5
7519faa8d8d24f5c55a3d0f70837b2eb

SHA1
232b6730199f45f5bb60df88b742d7ae1f75fc8e

SHA256
2e6d98b81826655206078630ff83ad8e53cb60e1d4f6bfd1489162af5b54f249

SHA512
d1c12e3402c9e20dc943a18adefdcc276435c37eab2a32c3f6cb104a9531a6b53b1aef85f1e1787988bbde92f79e4de64390e4fd34341917ee717003fb187661

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
80KB

MD5
0e1421e9bdae913373292a36af21e4ae

SHA1
82c20c0ac06cd7da7b1eae3cb3edd65ec94c7298

SHA256
adfa0b020cad360cc19717040c51762ee856a70e6374f6361f90bf5df2e5c057

SHA512
764b10fca5db0ddf1d29cf563696561a12f6401aad42224f6ec85166178b0d1bd7532b5be6723c9ce0b920776fd329aed396e9c90161a18905922eae7a013bcc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
34b1206079528c8cb7daf3e8bd2c14c7

SHA1
48cabb0836e15c339ffd3b417fc7c44cb64a021c

SHA256
a8cb4da4c6259e36e8dc433f4e0fb6faf569cf76716e5d0e74799a29ea4610e8

SHA512
e8e7a5aacdd34d676c28525057fd4b8be2b29a27e5030cc471cf0b8f46a6054d2b92f96713dcdabf77201b18efe4ef146047707788d2d2ed0fba0f218f8fd139

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
290KB

MD5
6ffebafb38d19c33d0ba4611bc2b612c

SHA1
a88935b670ed41d1b003f2e648231d43e777e1fb

SHA256
82d1acc4b224a3bac00a73d4a929df98cfce7bbb82d4335036576e6e1c94892d

SHA512
22af5788e4ac7a4db7ac46593a46b8a48924fb9cd4b07aea324021f2f1a8dfdccaa822daba7c6fa2aab04d1c9003272b4dfa1b6e5a462bfbbf9f1726cae9fa8c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
631KB

MD5
c09762cb8c5b37b7a620186e5c4f0221

SHA1
5d759a868220046c40e04cfa9f358666cf64f6b2

SHA256
2dd61206e4f5927870bcb937a09e219207e15ab48e0ca9b13517597cc4354491

SHA512
80706b2ca4e699725aa14817db414713eb07ca03dadc311f4397796d077a2628d14ef0190571d7177ef30ff52633093bedc5c998c599abd3375e88e7dba7a543

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
543KB

MD5
fc6270d79a3a5e08f53a5375a3041d5c

SHA1
bee0dacba32b8eb043b852ab581a01acab495cc3

SHA256
64afe83379f0152f15b66288b53bf7366aa1d28c4f15693a805eb7cd5978c146

SHA512
fd1d8a0d43a4fceef72b1610171c8571ef7a627c07fa7551ce4adff1df19f2c9867625c47ffef912c0af8753c993a6ce63ee6b4c84211f6523124210d5f8ac19

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
301KB

MD5
7419237a1af4f8c332be7fcaba32d7d6

SHA1
7baaa44fb52765f668126ed9d691e3a03abc9170

SHA256
b1faafc5a7d723e8d072767a8d733cb23d8169d7a74c5ba774111a56a313bae0

SHA512
4829a79f7993f559a197381498a528f160809c2eca3502788724df695a7af39eee6a646a0811376ef1d519fe553b6375f76cd64f1487393765c9dcb829703b49

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
698KB

MD5
84feba58ac7049e8f726e6a000c6d156

SHA1
4181b7f35a061127a7d51c3f3121d052d576c150

SHA256
2de9cd967ec39932298bdc9d1d023147ee8fd1dbfbb2223d62f616395b04db67

SHA512
3351f97d9f8fbc5dce550da5d631c54574bda92a339961bdb6766fbf657364e904da1cb676eba3aae4fc8ccdd31eddb08bd8c65fccbcec913997ba2ee0395680

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
340KB

MD5
2e62cac3d8e84bd20a6bc0f30790e273

SHA1
c7993ea4aa5a52902cedbd765f0191d05027e596

SHA256
c204d35a2b97439cf23aebeedb1d989c989ec5255d5d54bdf8d45823737b4179

SHA512
5cffbed7e248253c0779012cfd6fc675a7628001e2cd8d4ba9bc10016c1ec149f2064b06c3ed83d01b69af198a35daeea35434afae8776ae47b0ef0d6e6b1f19

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
1959455d35db3b84211ebf46d1724587

SHA1
f278b262f8dd29ed2ccbae714d54bc2780562198

SHA256
15cf39271de0588ead8752c525c5955c53728eebc626650456c98569eeff44e5

SHA512
ef87217eab56e0e9618048e92249ffa7fbc29f993cef43594019496e811a70a3bc326b32348f452d39c34d4dba85c17f9ee3270daf28ace65059a8d743572d73

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0bbe6920d08fcfaac415d46c0e10183e

SHA1
d6e5eec83e92cb308f8ba55d2056f34c0c7046cd

SHA256
efabd8858203a7ff56e7f1a390f06b3a806f3fe5b4b274da4b62d3b5fe1cbf13

SHA512
ef315f00c7adb203553dd810d9f70a8d8ddd889765d2d07306f0b1a8939bcce502261960bcf96e317e7d61a8ac5111c2ac2819ff3479aa5433fda25e757eced3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
175c13c8ae06e4c3e4a95fde2ef2b58a

SHA1
51ed4b419d9a664317d78515c34b40d8ed7a455b

SHA256
3018333d5642bd2ca36bb373dfaeefc6e184b031e5d3b350cf19899698fc436a

SHA512
1e3d67d4a40ef58b0c4a8b9ef195f42fa7f0843739145dea35a2d37cb5bdbe1e8f66589fce85f1a6421fa60c7c79fc89b7685335138bc9641829d30384906191

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8f1896ee212029c9d892996f02ada1e1

SHA1
a5efc6b717f93857969037bfcb1b796b3174b95e

SHA256
d050ee31e9292531b29a1c1945a2279d88fe09f453fcf629c8a648b360e940dc

SHA512
fd6aa89b8c9e9170d314edaf6d2f3d5997ce9b8c3329ef22dd04eaef07cf5374ea0a5effa2d27e7365b054c4ece1abd77649d193f4bd8bf1883230ae4073c3b4

Download Submit
C:\Windows\System32\alg.exe

Filesize
87KB

MD5
6917bf6a86ecbff4d8b9ef865d94dd20

SHA1
56400eabd625a22234442ae80502d819bd5d51bc

SHA256
d1a0e5b2d1f59476f13814ecea201262abee77bfb3e606bc4daeb9f99c9aac33

SHA512
8b1ff328fe0618633c0b1e45f967c024396306b5b390757baa245284609d3c2e623653857cf6fecb7b19ff9f6838dafdd58205775fe4887f0d6eadd32b9f0918

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
364KB

MD5
3294d51990f47752cb51fdecd998f75b

SHA1
da24cf58b97ead3cd66f8635498f027805bce779

SHA256
e2c4c6755bceb81caa12053073ff541783a9cdd429f597001b3dc881eee51aa9

SHA512
37500e03b704662e1bad41f391b608265bbf214ab40a26d721b358a9b7e219b93feccd8b0c408d8123366aef204953345c915f73fd30ebb488b73757dc65b89e

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
3820359ca14b219678cc5103c8932bee

SHA1
3def745e5725716d017a88c0e4a2156add65d0a3

SHA256
e856d31e4d43d1c1dabdc06d654ac6606d104e2dfab9b18b298a24fb03ae2e45

SHA512
0d82add92f15e818f1670416f21fe9ccc28a3fc57ed60a326473ead6cf91b90ec71c45be39c8d9984e06d5e05cf90098c374a04b5dee8686f6355cbaeae14c8f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
607KB

MD5
97076f405dfa5bcbb3ef22ad9c803a7d

SHA1
aa9aff8fbe81ad13300232a2fdcfc07f981b3187

SHA256
cb8ff518652e015201f5e548de5978f6867d06ef9e5892d7091aeb86969733a6

SHA512
997b8dcfb134e0a868ad9e7715b3d106b873e1ca5cccaa513e9bc4a8cf7349019bfffc275ff5ca5ae9e7c4b98cc499e82e604d21c20e9ad0af6b45354f717607

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
ee906051aec3c1de54b57d85bc7dc904

SHA1
d10b6503fff37060ca83b4806db3fab73c7b7116

SHA256
7f283a3796e76a059bbe92cdb74de3cbdbe481fd5833cddadf4fb4f9f1c361bc

SHA512
e37576effca1449157bc157af04c08bc8a8010e5130d7e36a48ec489eb6d67dc81fa196c156451ce13d2f7cedb1ebf10885493e0eda31d00827c8f583a033b72

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
28KB

MD5
c44e68199c8904b3cf8dec458e649116

SHA1
c48d777a32b9d8e975c2ac1f46efa9242f7bcbfa

SHA256
90887f50487227b8d6ef5375ac7b578c6c2b283b29a0e20e7b6c3dc166910cad

SHA512
f92122afb911fba3b9588f321630a45ac169cdb4788b1b4adcd69fe4cce8077444162ff740e46dd12a5d55bab0196e7a2f9188517c42573e3a39038c844b2f97

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
1a8af3b3f12a8f23dfe2cf00e19b92d8

SHA1
3cb0208072aac00b118d592eacb51d25e833919e

SHA256
8355ce750214cc91c9f6a50eb80829f9ef72b74f0312057c942bfab920799c92

SHA512
fd9541da39a21203d1d9c631ad89fe39ed81ea894a838577eeb0bfdb9e47823e49b6e06a67e2708f5487db62c2490bbe91f5085e86d5e5b259d133a1610fcfc7

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
9d2e1823d82b08097e9b974cd16c3699

SHA1
69389852d61b23a17ac6d3073c11a002a5799628

SHA256
3fd11c7baf572729fe0fc29cc94395f06c06e9403d415d4483848dcff2572d5c

SHA512
108f46497cea54327f0b4a3554f43b7bd7f0740fa8fde2f315167b7e6db05a2e779bd1d05a5e1275c23d3c13c85878196ac1351aa40f4696d73821c790f2b133

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
127KB

MD5
ce92be0c5ce96b9be0545d7c83585be6

SHA1
6577b7fc5f944d62fbf9b1e80b81afb14253cfde

SHA256
53e8dcda75cfe3c9017414d063314e573faaf2adcafe65a1d8240f513a152bb7

SHA512
d7cb9c7313efff0b0c9d27d7cac386a7cde0661e53d19ffc6c501e2fba643cae4860a441ebcadedfc3994adbeb314ca323c7fbd499d6ce062cbaf60851a22899

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
744KB

MD5
3921131e417456135a8a4914d386cdf1

SHA1
aaaacb733770b5fcbfe37bcea7b0620b14392616

SHA256
12b4abffb48b88a68aaf33ee83dcafb6da5aa0ccd259ddb58ab0668233d1d82d

SHA512
a94b8ba386c669058fe5de35bdaece65103f6ab1212bbb642e1f4d983238b3181ca56253ae87349247de849a58da604d32f2c17f4a03e2aaf3c99f6dfdd7de37

Download Submit
\Windows\System32\alg.exe

Filesize
386KB

MD5
26218bc9b2d1d72ea00ff7f125de1fe9

SHA1
2498f7448682f4f7b2b33e05db4c7cf37443d585

SHA256
ba47133f3fc1e0ae7f15f5275019b5925e532ffac0e36653421fffcabc1ba8d6

SHA512
d8434b4b3a4163799825d1a031fa83ab9c94430a51620a51cc4409147a883daabbcd82ba26aa79bc7933b0c2078a4c0322afa46c18c182d4fc2a4e3715a90ecf

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
4d13633eca66db32f10326413f2918c0

SHA1
240221bae555d7d86c2cafa6c2144a04057d2ae2

SHA256
da6829ed7c33f91b66c2be700764adb96ad607568b8e2493849f57bba1f84d02

SHA512
30695c0001d8e864c62c306748134f291c92502bd3fa720bd2cae28bbcca7afc233e4a1347d50334cb4624074988141b8a773b4443677e5956556efb32497e5a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
e0c0927c36cc2e34179d96f2076974d2

SHA1
e6d8defc20980779e154e431c697f27f09cd2d3c

SHA256
0566a5a832903ae6c529e7637b1e96cec2d1daf271643226146d1fb1047bcd29

SHA512
a234f35b702c0981c7ab1f816945bbd8837f4ac25b291c2a451edb54d10d97d205725944fb556d418749bc832269a98aebe14710d42b84ae1e4f9bb90d18ebc7

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9155e134f976d5ff16311d124eaedafc

SHA1
fb91d27ffdc07c17b67cc2077a8524c4d6722e01

SHA256
0d253a2445826fc2596cddb5ba3050ed35d3c59a52310e65e5feafb99d3eeb9e

SHA512
2316e264aa52ad71c62efeb00e485009afeaaf2c3ddcc81c067b306909afb7d0bbbd6259bb0c847ced93bc029eac984646fd70befedb1d712d7bc7943fcb3f50

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
b3c7eeb7cd55ff5e7a16a4947dbf4b86

SHA1
64991efad3b3dc30009595ecc8843466010564cb

SHA256
ba8d542fef94d9733593d613962d59265e28451b1ed97bf708172045edee2586

SHA512
19aa810841e3f046e78d66ed05b262e77cb46f7a80887df00ee3221de6bb81cda4a6dc401208a3c90589de5ea082caa5e09bed4a7fc9f85ef6e9b0fb100a3047

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a9aade227fff6424a143c01d3f72caf7

SHA1
dfc446a0763288c7b0599bfe41a4c1a523cfb5e5

SHA256
3a9964f95b37acfb74434320f11aa5478259f8ab00078c61b4d3f4b23a174513

SHA512
9b590617cc6ac394faa7f7bd0252c74641e1656d52fb36a959d9f04995c683dca45c7b8de9f5e7c55351b9c45f277b3d2511269e510db82760447b86fb3fa932

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
43KB

MD5
a7b694552f3c3c49efdf0880da916999

SHA1
c556fe4e229093aaf4888878c3b45099395a3369

SHA256
f777c1cbc6f8b924438fdd4fd9e1e7e50513b316419501cc9d4e32c6498209ec

SHA512
e35fa85fcd6167b9cbb37fa51d5b79f1f09c035aeabebf2abf24b18d586988d24d3fa276aa74fe8d3fc2488ba9ff3e7597f23b6f484ffb0da1cdaf03f15071aa

Download Submit
memory/588-355-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/588-275-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/588-193-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1040-94-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1040-100-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1040-93-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1040-179-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1272-361-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-356-0x0000000000BD0000-0x0000000000C37000-memory.dmp

Filesize
412KB

Download
memory/1272-378-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-379-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1572-122-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1572-159-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1572-130-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1572-123-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1608-422-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-418-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1620-284-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1620-374-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1620-293-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1684-397-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1684-420-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1684-395-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1684-421-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-399-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-104-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1800-105-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/1800-110-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/1800-111-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/1800-136-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1840-345-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/1840-335-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1840-396-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2100-329-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2100-394-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2100-337-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2256-344-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2256-180-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2256-187-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2256-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2256-365-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2256-277-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2304-147-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2304-290-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2304-141-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2304-142-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2308-392-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-393-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2308-377-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2308-381-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-170-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2368-323-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-161-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2368-164-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2700-317-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2700-306-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2732-162-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2732-78-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2732-58-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2732-57-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2888-320-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2888-360-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-343-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-333-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2888-359-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2928-0-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2928-6-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2928-140-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2928-270-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2928-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2952-405-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/2952-376-0x000007FEF4A90000-0x000007FEF542D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-313-0x000007FEF4A90000-0x000007FEF542D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-380-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/2952-305-0x000007FEF4A90000-0x000007FEF542D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-294-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/2952-351-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/2952-398-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download