400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-02-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
Size

1.8MB
MD5

ba9bba30ff2bb5c154d9a10823c39069
SHA1

da375b66ad73ac3a8878c08215102697f478bdbf
SHA256

400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4
SHA512

4f039fecb45bb02ed59dd024a74efa6749e1c06181e66e24a8512b88a3a45e791cf4c88bc3f783b28b23340832bd2e24f6e82c73eb9603626fb81d1804e83740
SSDEEP

49152:Dx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAdkwkt9ojFXLs:DvbjVkjjCAzJakfojFX

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2488	alg.exe
1480	aspnet_state.exe
1272	mscorsvw.exe
1184	mscorsvw.exe
1504	mscorsvw.exe
824	mscorsvw.exe
2240	ehRecvr.exe
756	ehsched.exe
1760	mscorsvw.exe
2160	dllhost.exe
2840	GROOVE.EXE
844	OSPPSVC.EXE
1016	mscorsvw.exe
320	mscorsvw.exe
2568	mscorsvw.exe
2392	mscorsvw.exe
2340	mscorsvw.exe
568	mscorsvw.exe
2984	mscorsvw.exe
1968	mscorsvw.exe
1820	mscorsvw.exe
1020	mscorsvw.exe
2692	mscorsvw.exe
1116	mscorsvw.exe
2280	mscorsvw.exe
1536	mscorsvw.exe
1768	mscorsvw.exe
1500	mscorsvw.exe
2544	mscorsvw.exe
2756	mscorsvw.exe
2312	mscorsvw.exe
1896	mscorsvw.exe
2284	mscorsvw.exe
3032	mscorsvw.exe
2856	mscorsvw.exe
1388	mscorsvw.exe
3044	mscorsvw.exe
2116	mscorsvw.exe
1960	mscorsvw.exe
2620	mscorsvw.exe
1872	mscorsvw.exe
1016	mscorsvw.exe
2396	mscorsvw.exe
1700	mscorsvw.exe
1272	mscorsvw.exe
2436	mscorsvw.exe
2040	mscorsvw.exe
2556	mscorsvw.exe
2728	mscorsvw.exe
2068	mscorsvw.exe
1560	mscorsvw.exe
2552	mscorsvw.exe
2296	mscorsvw.exe
800	mscorsvw.exe
1748	mscorsvw.exe
2884	mscorsvw.exe
1428	mscorsvw.exe
2156	mscorsvw.exe
1388	mscorsvw.exe
1984	mscorsvw.exe
1956	mscorsvw.exe
2704	mscorsvw.exe
2508	mscorsvw.exe

Loads dropped DLL 39 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
1872	mscorsvw.exe
1872	mscorsvw.exe
2396	mscorsvw.exe
2396	mscorsvw.exe
1272	mscorsvw.exe
1272	mscorsvw.exe
2040	mscorsvw.exe
2040	mscorsvw.exe
2728	mscorsvw.exe
2728	mscorsvw.exe
1560	mscorsvw.exe
1560	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
1748	mscorsvw.exe
1748	mscorsvw.exe
1428	mscorsvw.exe
1428	mscorsvw.exe
1388	mscorsvw.exe
1388	mscorsvw.exe
1956	mscorsvw.exe
1956	mscorsvw.exe
2508	mscorsvw.exe
2508	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
1688	mscorsvw.exe
1688	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5f8281e0ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_bg.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_is.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\psmachine.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_it.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_vi.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_cs.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\GoogleUpdate.exe	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_ms.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_zh-CN.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_ml.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\GoogleCrashHandler.exe	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87A7.tmp\goopdateres_id.dll	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5ACD.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP61EE.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B60.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP98C6.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9E23.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7C22.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7668.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA8FC.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2556	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1368	400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: 33	2680	EhTray.exe
Token: SeIncBasePriorityPrivilege	2680	EhTray.exe
Token: SeDebugPrivilege	2556	ehRec.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: 33	2680	EhTray.exe
Token: SeIncBasePriorityPrivilege	2680	EhTray.exe
Token: SeDebugPrivilege	2488	alg.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeDebugPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	824	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2680	EhTray.exe
2680	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2680	EhTray.exe
2680	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1760	824	mscorsvw.exe	36
PID 824 wrote to memory of 1760	824	mscorsvw.exe	36
PID 824 wrote to memory of 1760	824	mscorsvw.exe	36
PID 824 wrote to memory of 1016	824	mscorsvw.exe	45
PID 824 wrote to memory of 1016	824	mscorsvw.exe	45
PID 824 wrote to memory of 1016	824	mscorsvw.exe	45
PID 1504 wrote to memory of 320	1504	mscorsvw.exe	47
PID 1504 wrote to memory of 320	1504	mscorsvw.exe	47
PID 1504 wrote to memory of 320	1504	mscorsvw.exe	47
PID 1504 wrote to memory of 320	1504	mscorsvw.exe	47
PID 1504 wrote to memory of 2568	1504	mscorsvw.exe	49
PID 1504 wrote to memory of 2568	1504	mscorsvw.exe	49
PID 1504 wrote to memory of 2568	1504	mscorsvw.exe	49
PID 1504 wrote to memory of 2568	1504	mscorsvw.exe	49
PID 1504 wrote to memory of 2392	1504	mscorsvw.exe	50
PID 1504 wrote to memory of 2392	1504	mscorsvw.exe	50
PID 1504 wrote to memory of 2392	1504	mscorsvw.exe	50
PID 1504 wrote to memory of 2392	1504	mscorsvw.exe	50
PID 1504 wrote to memory of 2340	1504	mscorsvw.exe	51
PID 1504 wrote to memory of 2340	1504	mscorsvw.exe	51
PID 1504 wrote to memory of 2340	1504	mscorsvw.exe	51
PID 1504 wrote to memory of 2340	1504	mscorsvw.exe	51
PID 1504 wrote to memory of 568	1504	mscorsvw.exe	52
PID 1504 wrote to memory of 568	1504	mscorsvw.exe	52
PID 1504 wrote to memory of 568	1504	mscorsvw.exe	52
PID 1504 wrote to memory of 568	1504	mscorsvw.exe	52
PID 1504 wrote to memory of 2984	1504	mscorsvw.exe	53
PID 1504 wrote to memory of 2984	1504	mscorsvw.exe	53
PID 1504 wrote to memory of 2984	1504	mscorsvw.exe	53
PID 1504 wrote to memory of 2984	1504	mscorsvw.exe	53
PID 1504 wrote to memory of 1968	1504	mscorsvw.exe	54
PID 1504 wrote to memory of 1968	1504	mscorsvw.exe	54
PID 1504 wrote to memory of 1968	1504	mscorsvw.exe	54
PID 1504 wrote to memory of 1968	1504	mscorsvw.exe	54
PID 1504 wrote to memory of 1820	1504	mscorsvw.exe	55
PID 1504 wrote to memory of 1820	1504	mscorsvw.exe	55
PID 1504 wrote to memory of 1820	1504	mscorsvw.exe	55
PID 1504 wrote to memory of 1820	1504	mscorsvw.exe	55
PID 1504 wrote to memory of 1020	1504	mscorsvw.exe	56
PID 1504 wrote to memory of 1020	1504	mscorsvw.exe	56
PID 1504 wrote to memory of 1020	1504	mscorsvw.exe	56
PID 1504 wrote to memory of 1020	1504	mscorsvw.exe	56
PID 1504 wrote to memory of 2692	1504	mscorsvw.exe	57
PID 1504 wrote to memory of 2692	1504	mscorsvw.exe	57
PID 1504 wrote to memory of 2692	1504	mscorsvw.exe	57
PID 1504 wrote to memory of 2692	1504	mscorsvw.exe	57
PID 1504 wrote to memory of 1116	1504	mscorsvw.exe	58
PID 1504 wrote to memory of 1116	1504	mscorsvw.exe	58
PID 1504 wrote to memory of 1116	1504	mscorsvw.exe	58
PID 1504 wrote to memory of 1116	1504	mscorsvw.exe	58
PID 1504 wrote to memory of 2280	1504	mscorsvw.exe	59
PID 1504 wrote to memory of 2280	1504	mscorsvw.exe	59
PID 1504 wrote to memory of 2280	1504	mscorsvw.exe	59
PID 1504 wrote to memory of 2280	1504	mscorsvw.exe	59
PID 1504 wrote to memory of 1536	1504	mscorsvw.exe	60
PID 1504 wrote to memory of 1536	1504	mscorsvw.exe	60
PID 1504 wrote to memory of 1536	1504	mscorsvw.exe	60
PID 1504 wrote to memory of 1536	1504	mscorsvw.exe	60
PID 1504 wrote to memory of 1768	1504	mscorsvw.exe	61
PID 1504 wrote to memory of 1768	1504	mscorsvw.exe	61
PID 1504 wrote to memory of 1768	1504	mscorsvw.exe	61
PID 1504 wrote to memory of 1768	1504	mscorsvw.exe	61
PID 1504 wrote to memory of 1500	1504	mscorsvw.exe	62
PID 1504 wrote to memory of 1500	1504	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe
"C:\Users\Admin\AppData\Local\Temp\400848b4d59d2fa440a81fb15697f3a1c855e8c810beb3cd6827d368f028d6e4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1272

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1d8 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 26c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 1d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 248 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 244 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d8 -NGENProcess 28c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 290 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 25c -NGENProcess 298 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d8 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 2a0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 2a4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 208 -NGENProcess 20c -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 24c -NGENProcess 23c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ac -NGENProcess 254 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1d8 -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 23c -NGENProcess 25c -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 25c -NGENProcess 254 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 268 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1e0 -NGENProcess 268 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 23c -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 270 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 23c -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 290 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 290 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 1d8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 260 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 260 -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 260 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 260 -NGENProcess 1d8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 2b0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2b8 -NGENProcess 2b0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2b4 -NGENProcess 2bc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d8 -NGENProcess 2c8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2c4 -NGENProcess 2d0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 27c -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 27c -NGENProcess 2c8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2c8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 27c -NGENProcess 2e8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ec -NGENProcess 2d8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 2cc -NGENProcess 1d8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 190 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2496

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2240

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2432

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2840

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2636

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
730KB

MD5
2a34549aaa8e40dece34886beb747064

SHA1
e661fb765b77cb1d0f8ea06dc1c01931a0f79eb3

SHA256
1405490a860f03669c4cdf4312a00e8d29f79a855fe037de1cfa3f857597fb6e

SHA512
486e49593168f58b7cf1ee3dadb898e780c2838388d0462341f3cb5c1f5b52697b7122d8034e4c03ab1a625348017741bfdab261892d5cd50d2b71bea7e6508c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
3.0MB

MD5
1cfb4126434bfa931463c717939ff174

SHA1
8bb631beb1591c6a7eb1e75df946ec506d7bd40c

SHA256
548d12dc47cdbf4a4057b2f954d6cb95b7e9d473d69668d7565598e3bf1fddb5

SHA512
5fa9cded56c7b0e572b9f7913faa5fa80399a7d8012738b911427e94f98e1580fe886de66112365f8937dccd8bc4133cf88eb4a648c6dd34bb5e470048e7bef3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
614KB

MD5
eda7be93f91a394d574c29d149fba176

SHA1
cbddbacf760110985f905c7dbf6b849e4e63562a

SHA256
560905f78ad7045539ca84262b1944a634de0c0571996e78221032bf683bc232

SHA512
2dafc6b583f3b6bd55be9af014322984d54d19246abb963f51fef2eccae377804ae72e87b9f6ca02a52f9c9ccb2864f31fe900ee35741c25df168f3d48a47d91

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
503KB

MD5
5b2c554f07a4b9ba8fef25b5f32388e8

SHA1
be1aa20f0ee171c77373139eaa98e4695dba6043

SHA256
aacb59f109c3673d3e66c587e551ec3ead03f89361ad09ad823de295c56026a0

SHA512
08bb6db77db6741a5f57271250b366fb341226267e392bca9069df5a9ab7fb58067bc24bfb94b940defdb528919adc8dc630538f485f85536277e9c6a7cacb46

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
926KB

MD5
64e2cdbfca89616f811caa10fe5e7d6d

SHA1
1d0722b4331436532100b20556c297f99d30466e

SHA256
e1513e6001839a594e356661d0ffd651075e6430db65b0a86b269ca106794a3f

SHA512
5122a2d68d6a490a4b7a2430ee09d4834e4f84ce1a2ac893042705d95b859ed8a891c87dcc5771937ba1259d21552e8596797b7c6f5fc0d14fffb4c0374bc01d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
364KB

MD5
c3447e6f2de258d672c78ddad96bc332

SHA1
aef4c79cf4445aaba0595d8da99a6d0dc1ad90c0

SHA256
b99582f5dd0d71779c4779eea41c6f97cd234546f26cf084a72eb27541aa72ac

SHA512
9e9897e1df14fbd2da1e6580ff94421bb84129f3da64aebf7758323ebb3a590441f4509afdc9b3240f9b558bea555bbc60e0d4576d214e29e7ff333084ead5ce

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
332KB

MD5
07466365809e6cdd6c2d2915da7f2349

SHA1
9d4e76976370008132ad4bb3f253d00dd76cebc0

SHA256
7649f63da3d130de16f0c04511fa30618e44eac27115cf7dea0a45da628edf36

SHA512
501fb2a08b335523e5fe5c6f30c360979a1c413a836d266d76939dbc7775af869e2663187cd62b0451ec60c0f80d7669ad96197beaee14dec73c3300fa97d0a1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
657KB

MD5
d10cd996ad9aae105a25a8aef1b4c6db

SHA1
792afb9c6891f3021a007927eda4f1ea8dadea80

SHA256
35dabc6be9f06f6283de32fa2b7221e0646fa09a7c31714767fd31f11fc0c846

SHA512
57be8eb05effc2a95cd8b104d9bd606e7e2d755d475f5950f2cb3c871bb5a0d936832c04c006ca3dfd2a8c8cf24f0f6ba70bb1b6139df00c9c9c52b423900e8e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
442KB

MD5
58fcac3516053faf4b19ff46aa7c949d

SHA1
bde33d3e73df199a0ce9464b8a4eb8029a9da185

SHA256
27ae3a1434a3f1927894f7ab6fd23776ee45dc414f367e8850f5cf4e93938f9e

SHA512
fa5680bba8cf7597709af55b2b0951124425166e23eaee610c07480abd890483ee2e2ba764748837191c7c3553d4e19d9900f41f8bc810c7ec5780e7b7a80d8a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe

Filesize
324KB

MD5
828351ab03d099e6ca817a79a0eac564

SHA1
6e74ab62ee44b5b8723f50cf328d624c9572f026

SHA256
2049c4151d523fa6b4576ace982f51ecda51440be8b2e09ef9570f295c401f5a

SHA512
24b91cf7f433d5e9136d9b6080a8dfb8523232e1e98654314d35523a7c693dd0fc12148973ba999d5e7beef093c6c1c44bf22a3dfbf7f40ef7a3ca7335da3e52

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe

Filesize
585KB

MD5
f6712e6d99c0d2c803bcbc707a6d0a21

SHA1
672b4b9d9e1dae2af7e2722d761db237d011e4c3

SHA256
1e03188db6ab0553b86bc9830df0a7a587e7bd7e21337d38ce9f9178adea9431

SHA512
13b7291fdb9f7323720a3b105d49eda74d5f0fd67750f8df46b11297f20f8bcee510a417360c76cfee4208c0aafaf3a501d899e991d2bee7f9e48ebcb206d279

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe

Filesize
389KB

MD5
7826545828b2135b27bac914b9f11f01

SHA1
a8b547a643d9940c0e2a7b27c76dfa5c759c24d7

SHA256
d6c909332937d1bc98ea3ca94c584c0f70862011cf9ae0d340800b1efdf4f39e

SHA512
10d8d34caba9db3bbd703a42785ffe852d2e1abb3c7cf1bd7c03360f2625359845d107289a68ce697fc945f47c50855bdd0cfa0d8a0f88b1a96dba743076024d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe

Filesize
504KB

MD5
28975ad13187df3d6b53c137963f861f

SHA1
17b2d7cc9fdc40573841b38b871faae4c710ef69

SHA256
5a345441970d5e8b2dc1613f042f7cd2c08867ecd585fd50e1ee12a338021067

SHA512
17036519fc4127493f2d80fc9ce12f0d84d85b68d7dbb9590c14d541685bb01fcd615eadd181eac3dc66b153c0398a1fe03dff7a933a2114d756fcc7c82e9368

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe

Filesize
335KB

MD5
cf3d7ccd373dbe63f5df91fb63fd8259

SHA1
4cedb463a813f3c6ebccbc4849d103da1a78530f

SHA256
3ee7d59722c352ac89055d893cb5d509eecc739a0da0a5ff114ff634634ed9f8

SHA512
e4e1688ae4898d3fcea1a00a69c61af955112a66bc008718c5d7bcc2ee0e39079d813164e839997473490d4db97091c9ae6f251e4e6179f412b9851caea3ef85

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe

Filesize
277KB

MD5
9463a0f02f96dd0a621d8c4eb6bad5e1

SHA1
aab37ed5a2111950193f817d0381f36bd53fa304

SHA256
9cafe4c33bf548841c150893dea8989bff651a69ef62750d334afd653615d999

SHA512
acc34b66480dda93997143d559e343e31200ba30cbd5400fd3356a188a75578ca3467ec7d80a07919831b086e69fde9390b91118eee1f0aa20a06aefb4f034c6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe

Filesize
286KB

MD5
beab89fdf75684f10a834e2da3580eea

SHA1
b334d48343354f03db8399ea27a969b8bcd8a6d9

SHA256
da4909108b93cf065a1b3cab26c962cb25e2103a8d0a859724d304616f2b72e6

SHA512
705f60f9f15225d10c738442296475cd9837316418c70ed760b80ff0f98dc055631830c47ba14df4e2d54471e6053b9add4b00fbacd1092c00e562d8e4b195b0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe

Filesize
256KB

MD5
e9614e5797ade2778aa9827a97cb0240

SHA1
a257770d26a1ab59770ffda61ba7a667c3122e2d

SHA256
3ef951fe2acaf403f92cf4d26515ca71b2fb9b18204c2ff93c810356bca8f4dc

SHA512
05da9ae232ae274e0042c35b99ca933f1ddb78f45a2fdb8da5f4070491d607dae411a996656e6d466f579e834fe515739f68ec5dc0b337eb9457a42569a4f8d9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe

Filesize
340KB

MD5
6ecf59e11e2f01e65f774c91e7d1ec87

SHA1
68a72b01114399a6d25fccadf741283a8395d38a

SHA256
090c54070f25e4cf1df8213be867621b8309168cfc1130509eabc28fb5842970

SHA512
880120867d696b86df57bdbbbc1ec32bd14382ae25a22aba55550765f7213ed49148cbd9c959d6a0c58ec5331bf935653257185b076694ddaa78ea0c7ef4f292

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
448KB

MD5
6e30f3a2992ecf1792d6ee1e7f5586fa

SHA1
7e1a7258b8b0d3e1ee4987e83c11f38ccef95ba8

SHA256
3807b80306d1bd6649f201ce649e749c66003ffcadd5c39740afe78e2f3bd836

SHA512
a8b2c8099f761aa6fdb4d3cb09a508a2498981a7fda0522af76febb5e401b716252394acda734be8eca19ac1c98b4774b963be3e02644c52b1caf6bc4160400d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
19KB

MD5
2daf5bdd30103b75bcd70295759c14fa

SHA1
a5bd90da4549daf20f4d1e0d9bcb0306c13778d1

SHA256
972583fc133ad4f7144d6f7e24185042f6fe54e1f610988c0984459d9143fc29

SHA512
1f4e91b96f0646c31606bf8332932ccf1e2aee119b7decf22b0e0677f90a4aace69f325c69e905d3c933bcced7bafbb31041e6173fbad97655221f5754234788

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
eba28ad6a6adb6cdb2bb56322a06fca0

SHA1
4546be54ed54725c83148741fc008d91905e5a3f

SHA256
28c362030c9fbd80af86e712aaa337cdcc140eae18c7df5994e20c16bc85dff1

SHA512
d7b36be67a9767d5cffbaefe343807b2e90bb80b0fe5b01e2b376aaf392abffe3c76598846c9c3299393900e42256bf5e0c63002d513ab498368564f34cc6124

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
b88c8e6246d93325363311c0a11e0cb9

SHA1
d1bdf4c5040f2d00d987bc8200bf522f494f0358

SHA256
8ca1e16b09348f9e89821c6d8ebc086ca57d0501b28307b18ebfec86555ad869

SHA512
f14f3b34dbbafd46179b568171eb8a2c737a94b7ed12392e46f91030553c9c14b89ea3d17f8fecf602fcdd38902528880a2e101560d432d0f04f0aca0a3baa36

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
786KB

MD5
226847ac6b4bee5ee8c0ffea8a67dcc6

SHA1
4b5770932d090a7ed5c93caae7265c7ea8e3b94e

SHA256
45ca355b6643866ac4f727c817d162062be7a70b12f29b3057e71ab7a2a687a6

SHA512
16b247e678f08cccd057e0ae86b31583bb3a745bed1a311c6604d356eab24f9533779900c54dc9887f7729268d0e7ba179a0a52ddd01999424ea0a9c37e86e08

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
281KB

MD5
2dc4054f7e6f46577ed2ebae0af3dca0

SHA1
2f899cfc080623f5f8b0efd094f3c74ab8ad4541

SHA256
d2108e4be1c0b5bdd09a0e6e528f8a087cd920b291efea4f2431e56f81d9008c

SHA512
93f97e5fdb9ce82db0d538221a746b49164c8b9de3c9ed2fb8afe143b10e3230b0099131f7605d5a08025dc9d5535bd0caee2352e587854b2a8281baa3b08d2f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
7fde6410ef7fc78d49e54136274b0f1b

SHA1
a64a2e23c22c1edaed818585760e80342c4ee4f6

SHA256
39923a958290a0c9337980a975af37d6101a3e519b5ddecaee02d4a6c7ce06a8

SHA512
f36093128a9c6376323397479947066e598bd25cf90f3d7fcea0a3c9ec79446dd57952bdb55d67b5b70b06a2d417c4ae65b7bd7b30ae32b96344ff564a8ef3d2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
241KB

MD5
01fc935122aec8676e4bb25d63392c22

SHA1
16a226479fe7f031112fa61422529e9efafd0690

SHA256
7b72b883f5353b73c9aab0f6277a00831692a8dfb3eb9515acb662ff8a1a2dc0

SHA512
bb13bfedc8a2a490f49c4d46afac0df01044c6f98cb45d54a1fe9a1f49d7922ed84a8f2deffaeb08ee315002ea59ae4bbc03cce81f719ced37dbd33171a582b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
a48373423696cab6f1e505e53ef02588

SHA1
4684d38c2f9be2c58e59cbb588ba6f43374e47fb

SHA256
55cb373c7977f1e4f4bb635353441e836ed4ac57e0b78bb9209a5c00194d308b

SHA512
dce21ff5acadf4fd762a19d345b2bd8dd12be8d4431556b1e5b7aad03f0efe8d1694af34250372a97c984dd2464006d1deef3c80ba0a26844253393789242b8c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
345KB

MD5
0d9bab3880c5ac1e95e84bbefc14ae58

SHA1
057ae83fb94421376d40516c417b4763429173f5

SHA256
3774ced5549ec84f4328f2b178abe239046b7390265876b851735c72f409ab2b

SHA512
6a6d7ccf5560b7804260fa88151e9c26e86e82406e90ae591ea6064b1d94f2f2f014309aeaef0a64cd296250c7f2f6ad9ad9ec0b99bceeaea477167d66e9ddde

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
552KB

MD5
b4242e60cff07b9867b765473d6c27c5

SHA1
5fccb4e2a0a1089cd10b2d205f3414d0a25702f6

SHA256
c1708bfe2f2c3d92296db4aa4b3188b1f57fb1750957a732d52715c6d037a8c5

SHA512
c72b4498f662cd008c0ee3c72b3fe0dafaf3f80a9006f7682533bbcc57c1c3a66eb8c9df46076fcc687b6d2354ac67c94b26627e86f29976bb6db5e2061348b0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
115KB

MD5
ca9b2e8624ae8a2829224a2f760ab64d

SHA1
ab2657aa7136e2b6c42b0dda56e09e261d036070

SHA256
25421bda79d09c4d289d06df276e86974f33dce0ecea809e8eb62730066e159c

SHA512
257952f9a9fbd20c0ed968fb483bbd69f54075919027906e4cbb37843ee070d8b181e996751ea7cb8537428449407ccafcb2c682076f112b34aea04cbe68ad0c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
c2c409eb2e92dcbde2f78ac9cfa47f71

SHA1
fb654f89999e98bfe2db23de4057aa14d90b0df2

SHA256
378cb7c5b958b8a80d6204f8374cf0478043f152db76858f15ceb55b113b72f1

SHA512
ff793971b99d6f883f0626fd27c214c2666a18d8f5d5ca599f81a6147ced552b8d5d727f9176df64edb9eb6af4de5e3f54c9785d2394507022b3a5dd997a013b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
253KB

MD5
826e5cb635f1e1586c29294da3a90c8e

SHA1
142947bc6826f6692f676bba82f3782bd9778c91

SHA256
c344768e6f0eb8f19eca90cc2070aa688a91e6c1d1c3880da7aa6c2536367c2c

SHA512
970937986bed485b69bcf3ba35fe814dc408f387bf3eed3e7a0afd9cecfd32596f74041342cc197d0d8268a9f807005fc72d61b5372652dc782d87f5f093e61d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
114KB

MD5
f8ca066b8a03a443ee2e64b9473dc5b3

SHA1
8b5ead73c0caf8c87f853dafbcb9b528f7638f53

SHA256
08fbd4821dcfd566cfd153cf013c67b7a3df026ad8443b8d3f5f9e454c04d251

SHA512
baa7b8acd2d18790ce71b2d6406ade1d4b252c5486e90aedbbc89c9adccb824931dabb8b64b0e5575a9a3f211edb24944c253ca217894ac3c8351acbb9741bce

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
753KB

MD5
926a680d5df9243e11aba380c8731ae5

SHA1
2e33b09401144cf621e45fdb3ac4b9e2426f8ae0

SHA256
6b137ce3f431eb27794237a21fb7761b4530bcaf5b3a7265b10da0ff310e132e

SHA512
fe2a405a0dcf855d0dd221d46e13d2aca5397f3be7e1f7ee4f67c773cc83f2be973bae4d18c6ee57244dd7425c98719b73e3305f852c0d805b7a9418dd67a6df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
97KB

MD5
7317a3bdc2bce26ccf9d442c65c9f346

SHA1
88aa133337dadbd7559ea5feb6fa3b64728ef44d

SHA256
5526b7ec086712f7dd680ff5539845423aebe2312b9a4d2f7e589dcac0c8e163

SHA512
c7dc2dd8deae7f59455b3287debc74f8dd5b69b7016b1bbd6ef07923014ad020df6727107d15a0e0fc203951fd7d6afff3b3e2e46931cdf06c79cd066d3025ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
390KB

MD5
ae88a97967387119fb2677a322f1872c

SHA1
407bdb9ba71efef95b7282577111a56ecdef826a

SHA256
279e78d232591dcc3c34a941dbb59e847d2a6626083818656da3d7475f138e41

SHA512
5c3d78895a8ff1193f840ff5920882087647ad9769a4bdd97834a1b3e4564229cc5011231817b0dd0aef66b16977e65351fb66ae1cb2f6dc8a24ccacc9fae63d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
261KB

MD5
392467e6ef16a64a3332c21ddc0e0287

SHA1
99664c6ddca7050b550df9f78ae89b1f0a82434c

SHA256
7dfdac5728c3046615c0e9783d21548edbc9fc24957f641618005b7e17164ea7

SHA512
0cb1731801cfd67f15d268c6bc74532867a5ec54d27deef49d2eceaf5f0fc2e46596d2d6bb5f74601ed7e4709c65ba069c8c31aae828e180567584aedc081f8d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
22KB

MD5
4033bd6c428de5727bc00a750e5b776f

SHA1
a7f80fbb43d8e3ee84c26632ac2d21bab1b2b2ba

SHA256
23fe14c875f32243025c5d81d3c8f0c89e2a25e1370b2a27c0bd2876dea4d1ce

SHA512
fb9f781450229e219ebd0327db6e9ef4b24f9f3a4a342768cb14cc6a195d6492f193d029ba7ae9fbc9c6fdf871646cc0c3c0399ec6dd4903e72bef3a8c08485a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
842KB

MD5
cfe689f0606ff54a78b84c25dc7e3bbf

SHA1
2c42ac5888fabd56d49be770ccfde6c47f47e613

SHA256
1bd57891e52f43de27b383f5d0c3685e8856b2b8b658cc24e84f470933ba61fa

SHA512
f456b710cc4aec222ebd7577b81b3403cd249190fec13fdcfe853f54307c4094a6019681a7804667b245eb17ac69ba62f3acc9cb9e5594bfc058785c4f6f7fbe

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
467KB

MD5
d1e9010aa8749e42047367d676ec9575

SHA1
4ccd46e36bc8a8793693656d0d54052de6f1bf6c

SHA256
17b06a69fd64a3485459a27fb9034286b4730adf31cd6b473296edb922688a90

SHA512
bd9ea6943d6d77ff9e608538ddb6fa89fc3dcb0286dda0211adaccdc690dd441658a85768ba8a9f9291a974e549895fa04412300dd419807ecc8681c36cf75af

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
267KB

MD5
b0ab5a022a487e8ee5f718762fb6b184

SHA1
1d4bf2d094af28ef590bb29d06aefd2fa335691e

SHA256
4ba60099cc4b7c1dc9b4cebb5a9fb8ed5eb405e715a197269d436d6fa704ae3e

SHA512
9ec26094ab5d421cf0601b7289051c0735ff49641b35cf4584a2ebfce8885804fc0fd4067c65998c581cae070dbcc3ad6056c91e4b5d8eab13199e28f391a345

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4f53f9e4d823702ada233f70f6cc7990

SHA1
4ad826a3c68744325dbef0406749ef7af50eb292

SHA256
e9fe0030bf615a478a22f4679f6f619bbd70bc0992bab1d646fc591e03dffede

SHA512
d0c03985f93b137069646601be4ecf169e155c8fe22ff1b05bff06b85d8c4b2bd6c267abd6a8adaf43ed698bc919ed6775f86de03943cd118dd243c65f03a5af

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
7b11d92ff2a12764b7bb87d45f34e05c

SHA1
94ecf52a898841baa46286eb190bcc3b86708538

SHA256
d5eb136b393d25dec5724585d46f3810413765b61b8454d8a61c3cb9e85fcab6

SHA512
22687a8587bbc776d90171e019c28c65a0fb667fb038ff506b6aaa7aec3a00058aa7c23b32859a09175e5ba7f606a1c350bf9481528e2d7f41cfcee795e22248

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
864KB

MD5
eb5bc7ced433dc7d8cd4915f1ee034ff

SHA1
9cf7089dcc312816850ebf7aca1f0d0f8ddddfae

SHA256
dedf6b64e5d38b216816e0b65ce3cdbe74bc6d31ce79c28534b0258eade7bb4b

SHA512
cdd35022a0fd780f77461c50200facd8a030e76f997adbf051a2d789594a0ccd9f0c8e4d04d783e3338cbeb7581065fc7edf7abaf08bd7eca76ae27bd2b59977

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
382KB

MD5
650b24adadec59bd17d157930881e73c

SHA1
abbb78e105f54383cecf4e160cb821864649741e

SHA256
c883ecd371548b4659389faa3154cafab7c637211dc78b02f7a22468a1adf2e0

SHA512
9cd88b3395d46cda8ba7e18c850ff200e164ecdc18101d72488aad042da76c8214c16d21a8fcc6bf61ca20aafab65db5eaf43f792a7d7fc60ba1797c307adee9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
896KB

MD5
52e30f8996be2e3d26ecdd83eeb468e7

SHA1
64c65426bedf97d57adeddd2a6f65c7ddc706b38

SHA256
4ec0e68e6d72437fb85d3c1de3a358a405e66d649827beb6cdd941882575087a

SHA512
ac09b05e62a8033c91f7e97cef701c851bd647977b25e24fbf9a655150ae45ce3cef34f18c50c9e9c1eb6e10f11b9b6944896c517e3d22fea29ec1837e8b2a15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
885KB

MD5
321c21de9064006c20d41294ad25ea25

SHA1
51160a6fa6dbeaab46f938a87c81a97de05b58d2

SHA256
07382bda60ea7ade934d3864f08dcc0cffde5c04633e1802821f2e8643eae57e

SHA512
dfef4a9bd2a3ca61117dfdbc5e0236699a281a36006e80cc77e1ca6a240281bdfe5effc7a7cea75248bc34c109c8b165cfc4f0e9c76e5807aa27aa7dd575304d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
355KB

MD5
1b6d17730e9d39994d60d0c2bfc7f645

SHA1
f6814d9ee38e85a509b616b8db8eafc1a8eae283

SHA256
16f41f043fa1e8fef6b43388646896b784f4458707f1d9d2bb540412ea67f48f

SHA512
0f617a95285213761dc9beef9aae667b3215f5f59d9c63858b23253c41facfe9aa8f1f0c822204d6e84b6265826a4e68a420ac4f6480a717e39a70bbf6fa284a

Download Submit
C:\Windows\System32\alg.exe

Filesize
68KB

MD5
b908c3d7d64a96ce3a90fb7243d49110

SHA1
cd2a3af721e89235e3727e3bdcfcea3d7ce29b62

SHA256
0e62ea6fcb6a54857e11c5af9a976c60590906b389d0b1370447d179c8a40af8

SHA512
29f957b09c15b55da5ddd9c42a63eb348a9fcb9e4e02bae58f4c14c9e2413aee50f4ab3ed1bd91e4313df3c6e2671d8948f256a649eb0fe720e10850827f9fd9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2f0c848c55e8a810996654f4343ed055\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
41KB

MD5
9487e5083ff95e50925c1286eae8dc88

SHA1
4827740c06426f993171904d9992e3d5d2984067

SHA256
ce8393456e52243b4375c946e64cefa678b30167c5db5f7dbd29fa84ceb331b3

SHA512
74a54c95ca800da841b4e0bdc7ce0761f11fb51074cdbf09fa142b0dd7832eea05f868e7c405d65dbab696ec0bef6aa1da62cdb308e0a470a2079615fc58ffa5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4f677e5698f85dd2efefafb17d5cf338\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
75decae4e3126da8c2f7c19c84f30354

SHA1
07cb96ba26050bbdb5137fc52d25895ebce2436c

SHA256
4b76509209cc25ee6bf7ff806447f1a03793af8e41725695be7f1d26097fa87d

SHA512
f43f8c16ceeddef6e08b07234b41da39cb69523cc72f7881d34b33a2edb10f8dc79825a875a31ad96b16f0e017b57196a3a7fa15f27bd093fbfc6997825afb40

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\681e6db44afb0bef83f2cd4eaf9ece29\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
c9404a232d1471d6d0ef6aff28fa6365

SHA1
205d32afe9d839cc3d509f6ffde07cb41b49dba0

SHA256
3ae92820a5d9c28662a4c6f31c8cbe9a39a35d1900e3e80040ec24a780c4c5c7

SHA512
ef3507eb057c69ef236ba2a5765d6be638b19d62cd6b396f1712bef45fdcf4e2eca6d44867a2092ab87db26fc467f658afe7d80e0329e103e6cd65283dd296b6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d64a62bab2441450bd8a002b3b3a798a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
c201b6c5a87136667521ba34269e8449

SHA1
4978007d5f2521018ba0effe9cb117f0c262242f

SHA256
192db0ce44bc8ff8ab05b2d87b9e95d69afba4900eb759528df244647463e436

SHA512
71bdd8c78f277a523670b6b93612d35fbba4c1a2bc32dbe5efe3a462a42cb6bbfb94088deeb6e0ec34dba54317e4a3b2515bcb30c543e49ec85081625d1dcaf0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
1.2MB

MD5
5fb054680c367e1822c5b7f5d9b6de4d

SHA1
2b9fdddaa82b012c8ef27cf5a13be849b3dce638

SHA256
cd156439a3b7467ce7edac546c69a2173fe19abd4133c2d91122b7c8bf0d6fe6

SHA512
19ac1bbb43cc1664acb6db0bc7554ce1a37dfb852665b232c0544f649cd5146eb329bef01797f9ee4506366b2beee8f1925bcaf95a78bd8aea4fc001658a878f

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
c4392957d21c3ecda27e863f58209470

SHA1
54ef66fce7f39877294deb2846918cedafde9266

SHA256
928b395f6c30f1fc437a0635a4683d7e93d036ae4b919e0b7ffa4384705863d5

SHA512
3997f3e6fa096800c07e332301e81b02148fc431916fac0ce50fa49017220b71a68633cdb3cd7891b04e64d75d9d3f6e462c5406c85bb85fb5a88875e8c66949

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
43KB

MD5
7850b3e6db9f2080ec1fb4b35ad07094

SHA1
e10a596696db29cbd53c3c974f9ea05b7d1641c3

SHA256
29bce869445c91b6e9a8dbaffa8c46381771398762f26ae859991d240d89afc7

SHA512
e6146ef780be1fd141e1cba604015c5911eaf4f3d944a6095b0d2174cad505b3baee38c5dc2426dca20a992dbe3882fbe2681f73d7abf742e42fe302552521ce

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
078371ab1045e75d284f2b833a2fbfff

SHA1
39217a3f1103f2e5fe3103e7f2051257870ea499

SHA256
2a3865bcdec745457f734923b3723be8ef3f43719c07c920363b38be27eb5c87

SHA512
6fb31bd9522027d19690c407445a1e5d9bd92b1ffbfb225fa240ff40e64445526a01a21c3acacba5bafae112b915302aaae80611b293b0a237af52b479012f59

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
908KB

MD5
8e26f6b68fa404e5ee1435a8e267d4b4

SHA1
9201d301fd802f22962a2ed89020f8b2b6757baf

SHA256
234f941de21fa303085617a1c8c978ac7f78b3829c51b4c75366216301c542c3

SHA512
a7a2f5d5af6c7e3a24c3649e04a131c3d498a352d04ca54a822c3056ee0c094edb803ae2c629532f3da6a96ea6be58df5513ce209c128dd2048dd0b65ab0b19f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
430KB

MD5
6b8cb5a5c3a601ba5fd578e09897ba82

SHA1
54cbc4192a83555848eafce89863d92aed970b6b

SHA256
7644fff8e5274ff8e193f23bbe73daf040b07a06525efd9fc3df11eaf4085c87

SHA512
20b6b355faccd58fe367d5574fc2ffa3b7aba8617525835a3e90a247818c67ddda390ff50218a30f35df07e44a4d8246c19808d6662c2106afb3ae0ee8d188ad

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
ee992d38ecf732de724d0875207afd0c

SHA1
d697dda216b4377b363d0f39fd7605f169b8d0e3

SHA256
d788c08be5a8c4432c127df66e7f0b07b07b985236526ceb72d859391041b05c

SHA512
1e2f1f602e618e3395b72a16200aed784f986c83f8c48c6e7ea9241fb2b5bd0be62db0b8f1038ac376aa5ccefac74bc1308fa8755f865801e4c571ce0ad9c8f7

Download Submit
\Windows\System32\alg.exe

Filesize
170KB

MD5
5b898af09e8a04e07e774d20077b1362

SHA1
0d0bfd17043dc1292ca90c91922874a2a2a36ca5

SHA256
4288edd037efe2f1f2c24132565128fa348f1ac624c9850afae298edbecf9a5c

SHA512
f986b2fdd053aee6de04b72463d0da0e19b73081a1c977b850295ab6ded0fc994846fec9d1ba8bde3868a65edadf7dbce9f938558de277820ebbecaee3ec203c

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
6ebf92cfb99e4a5b2be8aacea39b63ae

SHA1
1c4fc6734353e7bc4d067e9091b6744f64b92496

SHA256
a11ae3267dd03cf4da2d354e397a964160164747b4e545440fb8ac9d18cb97fd

SHA512
af058601569bb25a1923913bb6dc561adbb688bef1422b3786406298d4375431298f438f9d4d416861fa1d731a395b7c663799b7a6b6590b36a06647c45f60d1

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
224KB

MD5
65b0f1a482187116ed0765ed55116f39

SHA1
e56de42a44b75d0233bd822c1e355564be3280a9

SHA256
d0f0275a7694208eef27ae09757763c6ad406d111dfffa5565c623dcc546bfa2

SHA512
a05161b1f964979c30cbdfcba2da08fbfa058c348e81af5524362630ac400021e5868863002f8c34635fbeeb6bbc5a9bbf58efa02acd9d90a76b1ad929c765e3

Download Submit
memory/320-430-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/320-481-0x0000000073420000-0x0000000073B0E000-memory.dmp

Filesize
6.9MB

Download
memory/320-480-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/320-468-0x0000000073420000-0x0000000073B0E000-memory.dmp

Filesize
6.9MB

Download
memory/320-444-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/756-436-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/756-263-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/756-181-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/756-177-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/824-152-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/824-383-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/824-144-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/824-146-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/844-381-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/844-376-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/844-404-0x0000000074908000-0x000000007491D000-memory.dmp

Filesize
84KB

Download
memory/1016-434-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1016-391-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1016-390-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1016-382-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1016-425-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1016-416-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1184-137-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1184-115-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1272-98-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-99-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1272-105-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1272-126-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1368-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1368-261-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1368-1-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1368-7-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1368-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1480-95-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1480-176-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1504-128-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1504-129-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1504-135-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1504-281-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1760-356-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1760-379-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1760-267-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1760-268-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1760-394-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1760-275-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1760-317-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2160-282-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2240-178-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/2240-264-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2240-171-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2240-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2240-162-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2240-403-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2240-452-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2240-179-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/2432-311-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2432-312-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2488-13-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2488-46-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2488-163-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2488-18-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2488-47-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2556-339-0x000007FEF3690000-0x000007FEF402D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-402-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/2556-341-0x0000000000CA0000-0x0000000000D20000-memory.dmp

Filesize
512KB

Download
memory/2556-350-0x000007FEF3690000-0x000007FEF402D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-471-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2568-488-0x0000000073420000-0x0000000073B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-483-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2636-321-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2636-389-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/2668-388-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2668-319-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2840-357-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2840-371-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download