f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351

Analysis

max time kernel
133s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
Size

1.8MB
MD5

a3b63f837716154075bc4df84c0d7bfd
SHA1

481554565b90e612e890d466cc3966d80f9ac877
SHA256

f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351
SHA512

ede843143cdab99e1dd4a8fb9ffb6c61ad89719c1681b1fb14563ab896f78ab564f60f01caff2376253b797b0a3215f212f7b29d1c0ff35e611886c0f25bb854
SSDEEP

49152:ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAEEjhMjSax84:avbjVkjjCAzJ9QWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 41 IoCs

pid	Process
464	Process not Found
2112	alg.exe
2796	aspnet_state.exe
2908	mscorsvw.exe
1040	mscorsvw.exe
1320	mscorsvw.exe
1092	mscorsvw.exe
1952	ehRecvr.exe
2312	ehsched.exe
884	mscorsvw.exe
2440	mscorsvw.exe
2716	elevation_service.exe
2844	mscorsvw.exe
2612	GROOVE.EXE
1028	maintenanceservice.exe
1780	OSE.EXE
1652	OSPPSVC.EXE
1684	mscorsvw.exe
1920	mscorsvw.exe
1308	mscorsvw.exe
524	mscorsvw.exe
1540	mscorsvw.exe
2320	mscorsvw.exe
2376	mscorsvw.exe
1508	mscorsvw.exe
2576	mscorsvw.exe
1524	mscorsvw.exe
860	mscorsvw.exe
1676	mscorsvw.exe
628	mscorsvw.exe
852	mscorsvw.exe
472	mscorsvw.exe
2584	mscorsvw.exe
2120	mscorsvw.exe
2420	mscorsvw.exe
2924	mscorsvw.exe
960	mscorsvw.exe
1252	mscorsvw.exe
2616	mscorsvw.exe
992	mscorsvw.exe
2428	dllhost.exe

Loads dropped DLL 5 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\be8bcdcb93c0dc56.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\goopdateres_fil.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\goopdateres_mr.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\goopdateres_tr.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\goopdateres_vi.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\GoogleUpdateBroker.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\GoogleUpdate.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\goopdateres_am.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\goopdateres_id.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\goopdateres_es-419.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\psmachine.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4672.tmp\goopdateres_ja.dll	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{480F60EF-9141-4F29-B842-74D3719A6611}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4A254F1-4F2A-4B30-BB84-1626693351C7}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4A254F1-4F2A-4B30-BB84-1626693351C7}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2352	ehRec.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2132	f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: 33	2712	EhTray.exe
Token: SeIncBasePriorityPrivilege	2712	EhTray.exe
Token: SeDebugPrivilege	2352	ehRec.exe
Token: 33	2712	EhTray.exe
Token: SeIncBasePriorityPrivilege	2712	EhTray.exe
Token: SeDebugPrivilege	2112	alg.exe
Token: SeShutdownPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeDebugPrivilege	1320	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe
Token: SeShutdownPrivilege	1092	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2712	EhTray.exe
2712	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2712	EhTray.exe
2712	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 884	1092	mscorsvw.exe	36
PID 1092 wrote to memory of 884	1092	mscorsvw.exe	36
PID 1092 wrote to memory of 884	1092	mscorsvw.exe	36
PID 1092 wrote to memory of 2440	1092	mscorsvw.exe	37
PID 1092 wrote to memory of 2440	1092	mscorsvw.exe	37
PID 1092 wrote to memory of 2440	1092	mscorsvw.exe	37
PID 1320 wrote to memory of 2844	1320	mscorsvw.exe	40
PID 1320 wrote to memory of 2844	1320	mscorsvw.exe	40
PID 1320 wrote to memory of 2844	1320	mscorsvw.exe	40
PID 1320 wrote to memory of 2844	1320	mscorsvw.exe	40
PID 1320 wrote to memory of 1684	1320	mscorsvw.exe	46
PID 1320 wrote to memory of 1684	1320	mscorsvw.exe	46
PID 1320 wrote to memory of 1684	1320	mscorsvw.exe	46
PID 1320 wrote to memory of 1684	1320	mscorsvw.exe	46
PID 1320 wrote to memory of 1920	1320	mscorsvw.exe	47
PID 1320 wrote to memory of 1920	1320	mscorsvw.exe	47
PID 1320 wrote to memory of 1920	1320	mscorsvw.exe	47
PID 1320 wrote to memory of 1920	1320	mscorsvw.exe	47
PID 1320 wrote to memory of 1308	1320	mscorsvw.exe	48
PID 1320 wrote to memory of 1308	1320	mscorsvw.exe	48
PID 1320 wrote to memory of 1308	1320	mscorsvw.exe	48
PID 1320 wrote to memory of 1308	1320	mscorsvw.exe	48
PID 1320 wrote to memory of 524	1320	mscorsvw.exe	49
PID 1320 wrote to memory of 524	1320	mscorsvw.exe	49
PID 1320 wrote to memory of 524	1320	mscorsvw.exe	49
PID 1320 wrote to memory of 524	1320	mscorsvw.exe	49
PID 1320 wrote to memory of 1540	1320	mscorsvw.exe	50
PID 1320 wrote to memory of 1540	1320	mscorsvw.exe	50
PID 1320 wrote to memory of 1540	1320	mscorsvw.exe	50
PID 1320 wrote to memory of 1540	1320	mscorsvw.exe	50
PID 1320 wrote to memory of 2320	1320	mscorsvw.exe	53
PID 1320 wrote to memory of 2320	1320	mscorsvw.exe	53
PID 1320 wrote to memory of 2320	1320	mscorsvw.exe	53
PID 1320 wrote to memory of 2320	1320	mscorsvw.exe	53
PID 1320 wrote to memory of 2376	1320	mscorsvw.exe	54
PID 1320 wrote to memory of 2376	1320	mscorsvw.exe	54
PID 1320 wrote to memory of 2376	1320	mscorsvw.exe	54
PID 1320 wrote to memory of 2376	1320	mscorsvw.exe	54
PID 1320 wrote to memory of 1508	1320	mscorsvw.exe	55
PID 1320 wrote to memory of 1508	1320	mscorsvw.exe	55
PID 1320 wrote to memory of 1508	1320	mscorsvw.exe	55
PID 1320 wrote to memory of 1508	1320	mscorsvw.exe	55
PID 1320 wrote to memory of 2576	1320	mscorsvw.exe	56
PID 1320 wrote to memory of 2576	1320	mscorsvw.exe	56
PID 1320 wrote to memory of 2576	1320	mscorsvw.exe	56
PID 1320 wrote to memory of 2576	1320	mscorsvw.exe	56
PID 1320 wrote to memory of 1524	1320	mscorsvw.exe	57
PID 1320 wrote to memory of 1524	1320	mscorsvw.exe	57
PID 1320 wrote to memory of 1524	1320	mscorsvw.exe	57
PID 1320 wrote to memory of 1524	1320	mscorsvw.exe	57
PID 1320 wrote to memory of 860	1320	mscorsvw.exe	58
PID 1320 wrote to memory of 860	1320	mscorsvw.exe	58
PID 1320 wrote to memory of 860	1320	mscorsvw.exe	58
PID 1320 wrote to memory of 860	1320	mscorsvw.exe	58
PID 1320 wrote to memory of 1676	1320	mscorsvw.exe	59
PID 1320 wrote to memory of 1676	1320	mscorsvw.exe	59
PID 1320 wrote to memory of 1676	1320	mscorsvw.exe	59
PID 1320 wrote to memory of 1676	1320	mscorsvw.exe	59
PID 1320 wrote to memory of 628	1320	mscorsvw.exe	60
PID 1320 wrote to memory of 628	1320	mscorsvw.exe	60
PID 1320 wrote to memory of 628	1320	mscorsvw.exe	60
PID 1320 wrote to memory of 628	1320	mscorsvw.exe	60
PID 1320 wrote to memory of 852	1320	mscorsvw.exe	61
PID 1320 wrote to memory of 852	1320	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe
"C:\Users\Admin\AppData\Local\Temp\f38670977721f01f09f3a838d1584cb53feb9fa21dab38c31da74c05f35cd351.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 260 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 1f4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1dc -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f4 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 278 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1dc -NGENProcess 1f4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 280 -NGENProcess 260 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 240 -NGENProcess 28c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 27c -NGENProcess 278 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 260 -NGENProcess 278 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 260 -NGENProcess 290 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a0 -NGENProcess 1f4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 27c -NGENProcess 278 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1952

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2716

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2612

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1028

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1780

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1652

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
b42c6ea8a0cc882633d63913cf40951e

SHA1
91d8ef8a7f93ee6b505eb417dfe890e7a8eb94a0

SHA256
e38b66ae0207a040bdf0aafa75d474bf7cf7f2182fd1e167349154efcf669bf5

SHA512
7b68a7fd50d5b45745a1f770ab7fbaf8e46f4c3fc8d09b0d8d6085d9a8d8bf2f76124f8b12dbb9e0d7a3f59bd471d063dc0d4a2b90975ded6080876170509d77

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
2206b4a163cb6b67e7ad82fc9dc29882

SHA1
ec1f4eb6bd3cb75fdb7ca15241a442ff5d94a18e

SHA256
57e375ce6941ef256f6528c460b523f512f70da6b132921c1bcf954c2d43a698

SHA512
b2b04353b79fb6a78c513aa703ffb117082a0abafe79aa7682a998f3937f4e07fd20c4c5f236f6fb277aef04b9b1fab88c8f4bc35cfd94eb69fb027d9bcdb8d5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
76e62dd005002604fe113045d97aa5e5

SHA1
9ab5a7c1119c571f9507d0b27330b8d60529d26f

SHA256
dc6d88c03def21f5b934aba64c9dca7058c064a23b999007ffb122396d74f41f

SHA512
19aa2aafad635326834d53015d48d0b60bb83b29b3490616b7f9b505b02a85b41e70fb06a5b018d93446f0dd9a56274c5760a1c1d0287367649502621d0764a6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
5bdaa2dfe0ea3cb17667c790106a81c1

SHA1
18460c7627d175798b2e1f53d842da321839f01e

SHA256
e59eb888c4488b4ee3a9ed536c77868b35320bd0046148eb3d03ef3ba3cc8592

SHA512
15e352e407201fcebe9e0c2b537ba849961bdfed4500f0f557faedeb3e9833e68ea6e879a31982152c89f216a97aef01b3d6c764e4be2c34cb2867417297c753

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
224KB

MD5
99891d07b4593e551740b4550afcf470

SHA1
e7d9eb63f1d0ab04a37ddc97a6a7b3eb490d5ecf

SHA256
5467d8c24ebb20c55685195e8bc2a5533532d48d3809bf00733b83dcca669a62

SHA512
54c8dc27b20d6968d4e44f4c3a9300662aa55323e2a6ef58306dfd303ca0d8dc92bc425ba0d63b4181787dd79ccee3b7e5ced44f95f06ff183ec8da0d3984a9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.0MB

MD5
77c7012803e33f20a8bec3073c22bd3a

SHA1
d9cd9aa3feae4ed59180ce8520a8fccac930e553

SHA256
be64bec0fbf2ef8228d71219e0fe3c27f5de9c73d1922235c42a93b8ad6c6927

SHA512
c75f3367aab155c433d8748ad003485bb942cbb91ea1f08e687fb722b03a03d2ba90f2fe6bb9945785e348458e2af13bc8184fe48f050e4341081734a6a1ae89

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
517KB

MD5
02906831d26e4fa25949f7f82ac853c0

SHA1
5cd0abda4d453670d6bc97f6d485e28387abf2e0

SHA256
6db711abee75d5dc31ef6645afbb786f10a512e7b777d556d02b8b7a28bdb9fb

SHA512
427424dde1ca80caf8d1bcdbe356e6be0d7f0f8b4ea3f5142bc56d2e219bbbe7a4868645a3faaf0acfae9f6a02eeb7087356e026cad71e84a5f11d7aaa102029

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
0cbb68c5996d8c00e2c1cbd60d218778

SHA1
fc0d4a59490f96aedf192ce46d502cd4e110dcba

SHA256
279f4bb73c59e394c70935fc0234bf1aef19a057a216c878c5bea874f2c4e45c

SHA512
9d97cf27f0688ddda9155fca0b1d273ba00627a53c52b2c5c2e7947a2fe38ef5727a70809e954c358237fe1786f57dd6cc77d5d9cb757bf1d4c921a0a015bbda

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fbc445b82b1b6453c22094a1f63bd963

SHA1
51c45b8e4e5fd609e527f2402dabbf785e651843

SHA256
8488207c137061ed354b39c22e8889ee0d6b9fd14bfc4015f4f6704948033a4f

SHA512
7af740286123fb3c053da4894865b91d48c5f2562361f77c97d0fbd2ad9ddd59710b87e7551cedcfaa42c6b7cb9cb789cd8c49362d18bdd0b16c3d779412cd84

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
69fa3a600f6a717a8053aa988d2d488f

SHA1
a7bdf4762876b313ded0e89f52ba5bdad246313d

SHA256
8d14f577dcc859e6257866bc707618ba8450ab30ffb27c78906dddbeac55f368

SHA512
2c71875ebf4fbbefc3dd73b443f13fe8b74adcd7aced74984b172dfaa567814323df7858c347c0d58714b44ab7933c497e8d1e66c68c0791529bb65d31bcfd3b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0d02d54c737001daa5a5f9f502c6b8f3

SHA1
8ab9f3ccf98fca4b4bfa7f328faec24890741cb1

SHA256
e677a4d13629c7cc14f36d87f7d995dd97f255f0f1cf7803b595f26d32fb3df2

SHA512
27d925d904d04986903de3d1a0b27cbd99b70543b755aa12e5b212500489df11ad01f65a61b3315398b01254c29ecb9b1583ca6ae682a08e8a4abbf79c591f70

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5d61f47550bdf85b020342fb640686a3

SHA1
92233d8529c18425ba7060b25ab3d339ec385e76

SHA256
78600ac261b9d807a79bbd468982a73afded95282ac06934b1ba510a3fef96b1

SHA512
348d57992691fd57df2b8bb99e1b41eb879980c654ef6671dc87135f310d5b465a53483869cfb4bfdd1c3f947c8c1dbed350f482bc78c34afb88ebb78c649c39

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
245KB

MD5
f9dc69dd9251e9da3e891431d3770de2

SHA1
fa933812e552e6a0d42b3d485d211f514ac6c140

SHA256
0d1876178d5bca765d7923d0e63afdebd8ba7b6ef78a49bcde29a2acfa1c362f

SHA512
8ccbb12e73d2c34adc1a2bc32228e94c8f8a65977521d7d6d64743d64921ac8f280c4115363cacad62e2e0b07173ecf23c759a188b456de2b15a0a54737d161e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
848KB

MD5
dc9733bdd53cd8b68c5fe75c59ed142f

SHA1
069ebf57af1f0f9117334512889d3e5082ec2116

SHA256
c9899b02e554d757b44b4533ebe656917533b76ec4ecd8a8d1adb308e373f1ea

SHA512
2c6acb8d2f288cac38524696c43df9a3d991e8928878b297f7b91c04a8e3b8c5715a5a44c517596ca078ec2f2939e5360c75947df81d9e965f3d5bbf74ac1a6a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
411KB

MD5
1ffd83b264d02a3fc1d71cbabd7aaa25

SHA1
0ae0657115d7b6ae6894cddf40938dbb11f1320a

SHA256
de61359ec67216852253d368ed71ccba431b75618a84d30570ce1e5a0539805c

SHA512
1eb1633fd8ef69b4e7bc0b2afaea1545453b2b6446a6bedc4cfe3809683ef00a13b1267f82108f72a21cb1a833ead317314791acb0afab54730d5d1527af3c9d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.6MB

MD5
7c34567e12a01129602a820da8a553c2

SHA1
05ec83c54b5e3969c6e57402cca3eb088ddcdf36

SHA256
096d89af5b21d64e932e5f10ac65784053c648ca8730c501fa5e7acfb96f610c

SHA512
c2cfecfb16fc21d744fa10535b5bcbde545dc8fd3a40ea6d9db285e00af1b191588bc31fa471b3ca4b91100b13f1946a8db816ed5f0eb0a91e6b59da5e3a2f75

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
128KB

MD5
f4b12b47e732f057af2c15cecc6bb977

SHA1
223066176eae6ee79926610853cff1994ba5f6a7

SHA256
1647e1b90dc6f9456e7128ac1d74cb8a9a4d5a6fa7dd41c6334dec14e9091169

SHA512
22aa88363eb6b2d0bec01420284b2773f0e10d05e9dc92a036da0249d8c2377af4c70c149119204d1d36ec5d4b7a60a4ad26b4ee073c7a7e0e1fa332d9b82ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
309KB

MD5
781cadad1e5dca13544455eb81dcdc67

SHA1
56504aa9e29b8a969ef9957202ad18d1aa2edb77

SHA256
e66c7ce3c0ec81fe7cd005416276f8ef2ea471a06ebcad36d5673b519411c4da

SHA512
b4aa86d13e5eb23844e0b8afb3c9cdd14c9635bbb2bfea15c73f8dd429ab2832150c89ace7f415dfa72b31c63e4d0e7cc903fcb80c95606ffba1cde45124790b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
277KB

MD5
1393ba000051b3cf3e627783c92b45f2

SHA1
0ea25d587cd6b69a153e918401d05bda8ae298fc

SHA256
1b26f71cada8288dcf66aa9566dc4fcaf854e09e2ad4cc916edaccab5ff9c0b3

SHA512
81cfcc2b1f66424ac63f56c4e74d851d05296e7de80b63d64ec3554f3e15aa8c73251634c27bb3a9136cd4bac9ebb24a99d893d2b8c9b9a9ddfdbaa2d6461172

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
41066004e29cfe3c88a4a4873d9cf7c4

SHA1
1d4137e51df8e8473b8287e49ac0a588797fa074

SHA256
3df2eb1d921bc6d891e33776822c720ce7d742b7f81f69722483e1fbee5a9bd0

SHA512
d118a26b6cdc8dce138c0f1408b6353618527013867571ab9ce7bc75896ebd6cd54bb1c66625e0d85bec88cd358e05dc9f50a4f0e707bf684e9946e77ceb248f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
0d3bd04afc4c70516d20c22ea5a358e0

SHA1
7a9a41e8b49e2ccea7e4bc61b7888817d258be53

SHA256
fd6ec21f808a9caf7e7d08d068c49de4bee4147cb205bc2678123b48f2a32780

SHA512
96b49a4b2ff2b787bbe1b9b2a8994af22307211b7702511a30cde3792eefe22ba099db26b5222fddba43a6ccd4130309b47daa98a2f329bcedba01b80bcd0082

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
48KB

MD5
e3207ef4e5886fb8306963a1bf42bda1

SHA1
1bf9786e94fae1e730e9af681cf40f138f918957

SHA256
6f994ad72d3372b0a67af5687b9f87a3f49cfff9a09b046b4e4667e345a3d87a

SHA512
fdb440e70a7f9c2d741dbc00dff30c2574a3c5d8f21f79d30a6fc5e78f1b70fe6a6c7a3a8ab72e178a80aeeac8db3d280e48c3567b0c0c6df0cee3afb4469eb0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
26KB

MD5
f79dc0602089aeda912a93334b1c5f54

SHA1
37660c5d817f51add1e5cc7f0a5c2bdf69034cb9

SHA256
80ed4a365c833547f07a227417025f49c7186bfaa61377d9fb6a4bf8960e032b

SHA512
93f01652b3344ca940ff8677910b26d3df8bb9b53603ec82f41770c925b0915cecb233e491517fe5abb66aaa3cb797c6ee1043e3d1419bc3fb263a32fa4b5681

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
88771b61d56784b836023ae1c0a9bee2

SHA1
d6b1c0de3bd53420f8a5b984585c48776eaf9ad6

SHA256
06a47cffd7b850c19791d84b3d623f46b63e3a20bd2eb571983d765b3d25b1f8

SHA512
6a459d0bf45405ed39d8ecd8ea5b448632d7824911cea62314af168b1256781287ff5ceb05c64abbc3e13330692a040f0886c526598f43656bcacf186e01feaf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
386KB

MD5
aebd820bc0ee8f3a7c1b6697e7b35f06

SHA1
d6c4dd42735e7da14a9b88a66a7fb78fd42af68b

SHA256
e365b43a2c59057584188abe0dea8c8b65ab8e0f04021160ff730f4c49c2d5df

SHA512
6b7ae125c68fe484f20db7d90705aedec9b0778e52e6d3378f45b53cef4142d0bf83ca7c32095c8dcf526401800b1dabda1b0b80833196880946f902cf5b704e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
455KB

MD5
84db6aed0a9b190612c1dddf6387babb

SHA1
58d8e64ff94fede07ad7dbc79aac105cb634fe21

SHA256
6f930096b4eed36661f9570c0d3c6e2834e9a329fbe6776c985462fb3ec034b8

SHA512
f4cf5c56b5d1db9c71caefef303d51d3b4c25ad8f87c139673b1d842e8dba46a64b6e985922942175bb6273dcc5988723beb4ce5d381d2145d57b17bea8cf33f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
328KB

MD5
304697742220a15e8ad31732a287a38b

SHA1
b32bc857fb195b509b1d003477631aeb1190550a

SHA256
4b48c56b8b67554228eb954c2d4cfce2cdc1566a3a793c213b3b616d2e307faf

SHA512
c7f9a1e55541ef7a7b698e9b18d1986f90ec5ebdb386058032756c3c10a7faa6b7326db04048115e8e7cbe6f2fd715b27695a42132f842bd6b3ecd163e36f03e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
155KB

MD5
79281c3bbd856de504a7ee76a058ff9b

SHA1
bbd89aaa49aa407760860bf3d27f7e364fd7fadc

SHA256
cea06cd8ccc1c28b2bc470b1bcc46468f3044df66982135c2541345aebd9b744

SHA512
b7e2e46c8cce3c8d29bc3d7ccf4708b979e73389b06b4a45efba75851859293b02238edff217c2271e048e0aaf34418e312f0c21808466a746cfaaac42646eea

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
115KB

MD5
0f85f2d4bf05ba7c618edc4ce20715bb

SHA1
1e4042ce9b7f80f045b98520cc6f33aee26d1b58

SHA256
8267b3d2599f98db46ea8d957233eaaaac67689d2c97dc7e3fb39ebb4fe0891d

SHA512
82e43aed7d43812b3a934f1dfd0a3e6272193cd4349ab09760288208684883cb76892eb51934be9e68fd68e171ec348c97984046c686528fc043ca18544d4a62

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
2b7dd1003669dec38c0c86589400a6fc

SHA1
5048e89387abb8c7d39e05180d0359aa2614222c

SHA256
e4a410f968f49ab510df1c3df9efe5dc2f6f1d766473ba362917e9ed1e8a2f40

SHA512
ddf6b88451fe53a59b2cbe8a9f12193f70056e26486a8eb567ed3706f3427350cc7908e39f87050fa5298af753f961cc36ef0a4b62f042f21bbdd0cbecb68a2f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
299KB

MD5
6a84ca9e7e1b2052b12c74107c683f5d

SHA1
931d820c2428a83e2ae95de34e19ffa8440edc16

SHA256
89fe3daf3cd6bb2ee8b2dae5ad57315437c4975398c046abefe81e562739d80c

SHA512
ab26358a06fb936e8fe9af2508f6a2c4f51b431ecc3871daed72d09025183c71e4c1354cb8b7a08f894f2d6094d30deb05a6f1857785d52149e5461882b1f8ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
14KB

MD5
a0beb7b60ee7aed5a4fe26cfef32a82a

SHA1
9ad046764220404c1ab7c1e2be41c28b0ce643e8

SHA256
6dd519964aae5e93494919e01456e9cba6806d642cb916aa5c1fc84bf1062cfe

SHA512
e5f2dfa32bb61f35b15f93f6a07a0c627c670534b29c656e96fb766e901d0750995178203a873418dde6f610d426507f3209c9855e02f48e982f833563cecf07

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
562KB

MD5
ad88e23412811f1d235f421dd2357e49

SHA1
a1227c81391dad13f7d04894c7c1563781c1894f

SHA256
8f4df64e9a9bcb531ebe0c650e0bc5a3bc73e01697b569592b4cff16f0516168

SHA512
b5eeb6fe6f902a98908dbb8c3c1944b9b2cb1731604fe5ed1e0b60a497f82665a920faede578763444f971b1e59ad1ccad3c8b9dab67b5f4aba7765b8c2ad21e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
174KB

MD5
3dec65bdbbfd03669b8be1f4ee7982a9

SHA1
cf87fadc46ae018e6bc26945ba23ec613f1e26d6

SHA256
092f2a1b3d4e707922e1bbbc81bdbd8239429bb7ae2c7c0de804202f0b887d14

SHA512
0c85c3b7110a2136f2a79c7dcaa86ccd2a36c38ece965d0841ccb0b240ef5d13affffdbc926e287926af6a47600e48499dcfbba1ea211a49b2917624a0b876fa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
381KB

MD5
849ccab736078d349f42c6383cc84e07

SHA1
103a0a2cb41f2e4d328b18e1131bab6ebdf8dcd3

SHA256
456d10d61d8ad6d906e2673bfda6a6f564c4f43c232f18c368935bae6d2bacfd

SHA512
3b37b585693c7ee6c1bdb3b6ac3586d54f9387b89dae3acd230323048c78c20079a99b0c1882bd48ae65d40d43fe00467a03adb4444ec4c36b7632e189c5df0f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
d5a7d9dbf18277fcae843ad8e6a10389

SHA1
b5e113edbecebe43fcd3aa2a3fd14ec87733a310

SHA256
8b85e7eef8812544e321a940baf94c6fd19c4ae552a3a95fad140befc6b0b44d

SHA512
42c8720a7710451d37d76c4044332096014c4af2b75dabb2d1d593dccf2eb4ecda916ca61f7fdace7b625676ec95743ff82d35a4d147d0131e86e6007bb01846

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
6c211213eb1816047a269371735c12a3

SHA1
c0aae134b59e04cfa407e4b0211f9271aeb19709

SHA256
5af89899586dcba38f60a4bd211d5330aebf33bd7ff4c5c53eee93f78a58532b

SHA512
60ae8b7a5975382a21354279bda8e6b96d8d55a8766a554b28996504c281bd1fb7899aeb2812f2d0dff1d0741681896ac59476963a33e690bfebe3ba574f1b2f

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
0dc46904e7a2fc259be43ab95d59a455

SHA1
f8c7b1fe86f1a64d896018bba723f9d14174448d

SHA256
ed94617056fce47a69a8c074680da4ad23e88f9378886d208583bc3cc5340a84

SHA512
88bd051c7e5079a26d96cfe036da0bf8b852d5d58f7c32faafc988b022c0bfec1f4b12330b4e6b2bf4d8bd064831881487591f6d0c91bd6a930c654572248d05

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
128KB

MD5
8fb51e2bd226af71c2c610094145f986

SHA1
987f30fa94ba8fd71ff8c6bc94026ab2ae59cfeb

SHA256
97ac6fd1921a0f2319a51ddc638a7f54ef42664be06fe959ab22171c3c0fdb93

SHA512
a1586c44a1121868ebc4e59ca6a92416c14aa4d4a425144b65d0f473d7fcc2a7b384ed9d11b35640665b234a5c5534bc107231c77ff9c76587efec5224eacdf8

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
33c7c1369658202f4df232d2e9253828

SHA1
d40e068b315000427b21b7e28933eaa58c6b2d6f

SHA256
4e43811888abe0d1669e16fdfcb5f74a5cf4eba5e7c3e0d1a60ec2cedab9a349

SHA512
cad144c113bcb7b43e2663993457db3f8384a803df495b388c94e6c14467a3476fbe38514b9f48d5e98ad47623d08e91da8944d66b25671988f391085776c6e0

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
65cda777439378b343c7d8dd4487827e

SHA1
e1f99b6fc269f583413f98fddaae49db8089fba4

SHA256
af2e98b51d80157a530883c7946a1ba04e47909d242e761564d7efe2f6680764

SHA512
a47864b0890faeb06893511327c22376d00ee6ebad33f8bb5489e022a5b4651670ef24f9316ebc81c40a784f895cfe8ced35c68f4e1182b02a68554d712ae261

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
314KB

MD5
41b347f957628907201a337d27dc453b

SHA1
9991471db8e3a26d4935cc9542c24e64bee41b43

SHA256
ed227f749d06d1aaab0209ef5d0b0a79591b9c808729aed91814cc24dd985ffa

SHA512
27a0a329aba82f79b2de597aa7eba7112638a29c690912eb99712db880b59389db7e77a6ca8345cda44bd8f76d67a414b24fb7e7f58b2fc154e580239a78ea59

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
564KB

MD5
3c7acc59bb458320dbb33fde894ac9de

SHA1
595b695ccd06a59db70017ce14f692d31f877ff6

SHA256
cabfbbe8d9ac0b6a8f9523eb9ec5a9a2a64ee044a60f30ecd6a924b0329ec715

SHA512
695da092298331ae57fe4699336aad4132a3837d8b8436b4bf7b4a7d8831fb9c14fb37f6ecd6844bbdfce8b724c75b353df6bc70e25659bdb046eaa2841795f3

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
e9f6c23cf8f27bb44d3e0214836f95a3

SHA1
d208719626c4e73acccdf721172f75ec698a7cda

SHA256
3ffcd63c3f41324281b12ecffd93c6b9bb185cb6a7d9146a7dfe2443d8e249f4

SHA512
d5484c3b4c12ff247d8bad4c8b1daf0652b372f9f588e54d92874432d788da2586d4304bae0d171bc75f787938f3186a811e65d94a6a072b0927d147ccd4c393

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
93KB

MD5
29f637d6555310d97056ab2dc67b2174

SHA1
432a0ed296201320e2077c84e60a4ac04a451e01

SHA256
e95466000625a65c449239e8aaf129d146f98f8eb8ce0b1d0c521c3380307b5a

SHA512
aed6e8f8e782f981e0ce47fd02bfa3acdc94594ecc4de0f7bfab15e41ae27aa8de5ea080979cc45f62316e10b2cf6568dd1fb29997f186a050b6f18c1ceacdc2

Download Submit
memory/524-550-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/884-262-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/884-257-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/884-259-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/884-246-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/884-263-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/884-239-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/884-240-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1028-327-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/1028-328-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1040-133-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1040-106-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1092-277-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1092-132-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1308-518-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/1308-489-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-542-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1320-122-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/1320-117-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/1320-116-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1320-123-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/1320-260-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1652-363-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1652-389-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1652-394-0x0000000073E88000-0x0000000073E9D000-memory.dmp

Filesize
84KB

Download
memory/1684-385-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1684-366-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1684-372-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-365-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1780-379-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1920-535-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1920-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1920-439-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1920-404-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1920-398-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1952-156-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1952-142-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1952-157-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1952-280-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1952-303-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1952-233-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1952-148-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1952-141-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2112-154-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2112-43-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2112-16-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2112-12-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2132-140-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2132-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2132-232-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2132-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2132-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2312-155-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2312-276-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2312-294-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2312-158-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2352-336-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/2352-458-0x0000000000A10000-0x0000000000A90000-memory.dmp

Filesize
512KB

Download
memory/2352-332-0x0000000000A10000-0x0000000000A90000-memory.dmp

Filesize
512KB

Download
memory/2352-331-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-255-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2440-261-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2440-249-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2440-269-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-270-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2440-271-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2440-264-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-313-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2612-377-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2716-536-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2716-289-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2716-283-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2796-238-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2796-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2844-296-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2844-306-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/2844-356-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2844-362-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-112-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2908-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download