17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 15:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
Size

1.8MB
MD5

300433cf82b651f7cd057f85ace7fe08
SHA1

5cdca2c07ccef189c461b7a123c523331a0d7e3e
SHA256

17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e
SHA512

ddfa9f4ff22b02d71a0635b3ac97de9f4c7bd50d099e708aa0a985fbbc9e719aef0501bc99271fe36898e1f48515ce86353ab92e956e9aa186a4498bd8c82bf2
SSDEEP

49152:Hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA6Cks7R9L58UqFJjskU:HvbjVkjjCAzJXC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2796	alg.exe
2164	aspnet_state.exe
2776	mscorsvw.exe
2432	mscorsvw.exe
884	mscorsvw.exe
1956	mscorsvw.exe
2244	ehRecvr.exe
540	ehsched.exe
2332	elevation_service.exe
2660	mscorsvw.exe
2464	mscorsvw.exe
2204	mscorsvw.exe
2144	mscorsvw.exe
2524	mscorsvw.exe
852	mscorsvw.exe
1064	mscorsvw.exe
1176	mscorsvw.exe
3048	mscorsvw.exe
1744	mscorsvw.exe
720	mscorsvw.exe
2684	mscorsvw.exe
2660	mscorsvw.exe
2276	mscorsvw.exe
2936	mscorsvw.exe
2072	mscorsvw.exe
1812	mscorsvw.exe
2032	mscorsvw.exe
1768	mscorsvw.exe
2960	mscorsvw.exe
1764	mscorsvw.exe
2192	mscorsvw.exe
2456	mscorsvw.exe
2508	mscorsvw.exe
2764	mscorsvw.exe
2248	dllhost.exe
3068	GROOVE.EXE
2936	maintenanceservice.exe
2028	OSE.EXE
1188	OSPPSVC.EXE
488	mscorsvw.exe
2240	mscorsvw.exe
2668	mscorsvw.exe
3000	mscorsvw.exe
2812	mscorsvw.exe
1972	mscorsvw.exe
1544	mscorsvw.exe
2692	mscorsvw.exe
652	mscorsvw.exe
1376	mscorsvw.exe
1704	mscorsvw.exe
3048	mscorsvw.exe
2004	mscorsvw.exe
1628	mscorsvw.exe
720	mscorsvw.exe
2516	mscorsvw.exe
2124	mscorsvw.exe
2712	mscorsvw.exe
2416	mscorsvw.exe
2580	mscorsvw.exe
1396	mscorsvw.exe
2088	mscorsvw.exe
1604	mscorsvw.exe
2304	mscorsvw.exe

Loads dropped DLL 41 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2812	mscorsvw.exe
2812	mscorsvw.exe
1544	mscorsvw.exe
1544	mscorsvw.exe
652	mscorsvw.exe
652	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
2004	mscorsvw.exe
2004	mscorsvw.exe
720	mscorsvw.exe
720	mscorsvw.exe
2124	mscorsvw.exe
2124	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
1396	mscorsvw.exe
1396	mscorsvw.exe
1604	mscorsvw.exe
1604	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
2284	mscorsvw.exe
2284	mscorsvw.exe
2608	mscorsvw.exe
2608	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
324	mscorsvw.exe
324	mscorsvw.exe
2812	mscorsvw.exe
2812	mscorsvw.exe
2360	mscorsvw.exe
2360	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6e61fcb52a37835d.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM14D8.tmp\psuser.dll	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM14D8.tmp\goopdateres_et.dll	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0CE5CC7E-EAA3-4562-A781-DCB0067BB36A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM14D8.tmp\goopdateres_uk.dll	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM14D8.tmp\GoogleUpdateOnDemand.exe	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM14D8.tmp\psuser_64.dll	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP232A.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE8AA.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC75.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFD9.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1692	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	856	17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: 33	2324	EhTray.exe
Token: SeIncBasePriorityPrivilege	2324	EhTray.exe
Token: SeDebugPrivilege	1692	ehRec.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: 33	2324	EhTray.exe
Token: SeIncBasePriorityPrivilege	2324	EhTray.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeDebugPrivilege	2796	alg.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeDebugPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	884	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2324	EhTray.exe
2324	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2324	EhTray.exe
2324	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2660	884	mscorsvw.exe	39
PID 884 wrote to memory of 2660	884	mscorsvw.exe	39
PID 884 wrote to memory of 2660	884	mscorsvw.exe	39
PID 884 wrote to memory of 2660	884	mscorsvw.exe	39
PID 884 wrote to memory of 2464	884	mscorsvw.exe	40
PID 884 wrote to memory of 2464	884	mscorsvw.exe	40
PID 884 wrote to memory of 2464	884	mscorsvw.exe	40
PID 884 wrote to memory of 2464	884	mscorsvw.exe	40
PID 884 wrote to memory of 2204	884	mscorsvw.exe	41
PID 884 wrote to memory of 2204	884	mscorsvw.exe	41
PID 884 wrote to memory of 2204	884	mscorsvw.exe	41
PID 884 wrote to memory of 2204	884	mscorsvw.exe	41
PID 884 wrote to memory of 2144	884	mscorsvw.exe	42
PID 884 wrote to memory of 2144	884	mscorsvw.exe	42
PID 884 wrote to memory of 2144	884	mscorsvw.exe	42
PID 884 wrote to memory of 2144	884	mscorsvw.exe	42
PID 884 wrote to memory of 2524	884	mscorsvw.exe	43
PID 884 wrote to memory of 2524	884	mscorsvw.exe	43
PID 884 wrote to memory of 2524	884	mscorsvw.exe	43
PID 884 wrote to memory of 2524	884	mscorsvw.exe	43
PID 884 wrote to memory of 852	884	mscorsvw.exe	44
PID 884 wrote to memory of 852	884	mscorsvw.exe	44
PID 884 wrote to memory of 852	884	mscorsvw.exe	44
PID 884 wrote to memory of 852	884	mscorsvw.exe	44
PID 884 wrote to memory of 1064	884	mscorsvw.exe	45
PID 884 wrote to memory of 1064	884	mscorsvw.exe	45
PID 884 wrote to memory of 1064	884	mscorsvw.exe	45
PID 884 wrote to memory of 1064	884	mscorsvw.exe	45
PID 884 wrote to memory of 1176	884	mscorsvw.exe	46
PID 884 wrote to memory of 1176	884	mscorsvw.exe	46
PID 884 wrote to memory of 1176	884	mscorsvw.exe	46
PID 884 wrote to memory of 1176	884	mscorsvw.exe	46
PID 884 wrote to memory of 3048	884	mscorsvw.exe	47
PID 884 wrote to memory of 3048	884	mscorsvw.exe	47
PID 884 wrote to memory of 3048	884	mscorsvw.exe	47
PID 884 wrote to memory of 3048	884	mscorsvw.exe	47
PID 884 wrote to memory of 1744	884	mscorsvw.exe	48
PID 884 wrote to memory of 1744	884	mscorsvw.exe	48
PID 884 wrote to memory of 1744	884	mscorsvw.exe	48
PID 884 wrote to memory of 1744	884	mscorsvw.exe	48
PID 884 wrote to memory of 720	884	mscorsvw.exe	49
PID 884 wrote to memory of 720	884	mscorsvw.exe	49
PID 884 wrote to memory of 720	884	mscorsvw.exe	49
PID 884 wrote to memory of 720	884	mscorsvw.exe	49
PID 884 wrote to memory of 2684	884	mscorsvw.exe	50
PID 884 wrote to memory of 2684	884	mscorsvw.exe	50
PID 884 wrote to memory of 2684	884	mscorsvw.exe	50
PID 884 wrote to memory of 2684	884	mscorsvw.exe	50
PID 884 wrote to memory of 2660	884	mscorsvw.exe	51
PID 884 wrote to memory of 2660	884	mscorsvw.exe	51
PID 884 wrote to memory of 2660	884	mscorsvw.exe	51
PID 884 wrote to memory of 2660	884	mscorsvw.exe	51
PID 884 wrote to memory of 2276	884	mscorsvw.exe	52
PID 884 wrote to memory of 2276	884	mscorsvw.exe	52
PID 884 wrote to memory of 2276	884	mscorsvw.exe	52
PID 884 wrote to memory of 2276	884	mscorsvw.exe	52
PID 884 wrote to memory of 2936	884	mscorsvw.exe	53
PID 884 wrote to memory of 2936	884	mscorsvw.exe	53
PID 884 wrote to memory of 2936	884	mscorsvw.exe	53
PID 884 wrote to memory of 2936	884	mscorsvw.exe	53
PID 884 wrote to memory of 2072	884	mscorsvw.exe	54
PID 884 wrote to memory of 2072	884	mscorsvw.exe	54
PID 884 wrote to memory of 2072	884	mscorsvw.exe	54
PID 884 wrote to memory of 2072	884	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe
"C:\Users\Admin\AppData\Local\Temp\17884f7eabbfe6ecfa34ef8e49549add0abe73f05d5f1509c757e194d94eda9e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 248 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 238 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 238 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 258 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 248 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 260 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 280 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 250 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 2a4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 250 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 228 -NGENProcess 284 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 254 -NGENProcess 298 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 254 -NGENProcess 228 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 1ec -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 1d4 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1e4 -NGENProcess 1f4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 1e4 -NGENProcess 240 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1cc -NGENProcess 240 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1cc -NGENProcess 1f4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 260 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1c0 -NGENProcess 244 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 264 -NGENProcess 28c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 244 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e8 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 244 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 244 -NGENProcess 300 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 308 -NGENProcess 314 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 308 -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 310 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 310 -NGENProcess 1d4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 1e4 -NGENProcess 324 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e4 -NGENProcess 2e4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 320 -NGENProcess 32c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 320 -NGENProcess 30c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 328 -NGENProcess 334 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 328 -NGENProcess 314 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 330 -NGENProcess 33c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 330 -NGENProcess 31c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 338 -NGENProcess 344 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 338 -NGENProcess 324 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 340 -NGENProcess 320 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 340 -NGENProcess 334 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 348 -NGENProcess 334 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 118 -InterruptEvent 348 -NGENProcess 320 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 330 -NGENProcess 354 -Pipe 118 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 330 -NGENProcess 344 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 330 -NGENProcess 33c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 330 -NGENProcess 338 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 2b0 -NGENProcess 2ec -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 240 -NGENProcess 338 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 364 -NGENProcess 350 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2244

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2028

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
fc3047375661a07489508814495d2241

SHA1
dfa837f68b40d796cdc156b68a39e097904572af

SHA256
eb8306ad3eb8d2b80f14c924a7642ef828427a379e6137653565cb767628f5bb

SHA512
25df8ca8a588fdeb9aac745a01656e440e083d6550cb9d6cbf29dd0b9bfbac7857ec60386a656f0db02583174c18192522e203eee9a1f68f732bfe57865cd6aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
6.1MB

MD5
77c381ced4f8b50c9e540972fa637056

SHA1
40d8f697b7818a29e7d124228673ee9774ce09a6

SHA256
b02b0618aa78e72424713e53c023cc60555951ec8dab2ae15a8be8f7435c78d7

SHA512
8e3272e211f95f6d8a4edc8a629bbf1d290baae3275cd09716e2f81f9121f2a23b395393de15a54d9c37e1c7d26978326d5a7078c5b52c8c7b51b91cc749c778

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
c4c6b370cb823a3225dbca3604674989

SHA1
3cbf6a11b08224de287300ff0681a2f0b52adc59

SHA256
b3bff8883d7f6b2bc1cd0fd13cb02f4e54381e16069d12fbb87e9167200364e8

SHA512
2c338e44095c64578dc529276df3c5edf58e7f826e4814f8c56c6006e4bdb07cb2f40853bec23dad0b583f07660e833d57c13d6013ae24a0bc6c2475303e6621

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
8006b359a720f202a45e990f9ef9f380

SHA1
44fe2b6d1af6fd6017c33ce8db09afb9fa4a59a1

SHA256
72f9bc5503c1a63a8f2c3712df724a7ea81bdc2cbf9b423095b38b4e9389fe8a

SHA512
f5b80ee217ed7f43e7659970592bcec61ff8e75cfc1b1d0babc0ab1319db745e2101267d604659ff6cb76eba5f9efb7d973b8dd6a47e437b8866a990361b56fa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
241a9bf6f9e86e4f7e27ca585b82dc81

SHA1
d41c2383c1945dc8ce5c43d4efb61a0aafa760bd

SHA256
0f496f0cd2cb43d16345cda72c316001d373f6266de414804c6cbc38807ad402

SHA512
cb060dd69f112eaf82163ab2ecc2b400a3c1cec45dcfa145910330e407fcac23d49ef1c431765adebfa84f7b1dc483f3dafa16b268c6144920b373defe2f290b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
8b30d4b21e0cad39b9f30dec381c728f

SHA1
7ca1080070b78c6b04022d669a89af498461f4e6

SHA256
65fe4e17f9c64bc47fce2e4e09540f01c2fc6a4b200666b1c802d72054c47f86

SHA512
975f5bba0df1c94146e3c910d86c9068f62ee1da4176493d82215d145163188891dc52930d040f4e6a2c67a9374c181a688315857325e1a14c0633f31751457a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
451e3203900365273c5dc385c3c5f144

SHA1
b053665ef5b8d1e0b3eb3cb911cb8f6e01f748bc

SHA256
5e89254a25fbc631cc506cea4da3ef18970aad8f21692c4dba2563984b85b0df

SHA512
e4fc7d19f778aa8138541be92d202510b5f536c6fb3a871ac1ce9ab0e20f9543639e53d4de94e715b3648906025d26603ccb6c7157b5c8ac3bc693f301329bbb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
967ae78d9eacfcdd9cac32897febecc5

SHA1
e726d6ff9d68025126f6dbff127fe546175c80b8

SHA256
a018a290081beb9bfc4b68e433dbd52931b9c710164ed3726b731f1ec462964d

SHA512
86edc6c4f677fd6fa2cc50a2c3d7180d39ba4b555371fa437c5a88bc96aef9432bf7866c987cd660f4d7b42bc21b386008bf15fd28811e9b6a3c8a24ccecfcb1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
4f834a46fe31a57a9c7e16d2742fa46e

SHA1
0265b31f67eb263fecd6e126965c48de3e00d41c

SHA256
cbaf2b9c11322488a73a56245fd6f1677dd40f35c0f6900a2e1d125a8ef2e90f

SHA512
f8d106d15464197e140b476b78db90ece978a52a784b0c09baab8d21108a629a1a905a04ce2b88f9554e00e2cdc9e22c56da69a14927898a652d569bd1268c27

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
825b1bc280a39e95ce27aa76302489f8

SHA1
99501cd4a46773809a49aa821f125228660d01f2

SHA256
bcc25e63a27173f345a9fb8fd6ccafaef2757bd8dd3e41c7eb0560768bd377e7

SHA512
9158693b19ef40c68049fe71ed7f0854e5dd6d3b88a03230b8285dbbfb4c58255c7bf0a91c7b6555d93546991728292d37e0854632ae4b70d8aa4f7b9fa7c881

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3ee25eb2a947d8130401062d7fb800cb

SHA1
89c9fc0ec5e73eaa3b9f27939fd272158d37c6e0

SHA256
7f211b20ad331b24828ffc72f23e5ea5912bcd2f11086599993175060c6badf3

SHA512
0e3a082709f41110f80986d6fda5253398613badcd06d605e2574b9c19a14839eedb33d44560808fefe7376b28df84b4f345ff367fab220d78d278cd4f804445

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
ff15b77411334dcb7718dd87fc575ed6

SHA1
ba675dca826303e3869e2bc3570819066ebe759a

SHA256
c6b012db272ceb5f0f11f3808c6243dad8471e6301cd80c7809da0d3641e5428

SHA512
eb1f0f1b3b2688c17a90da4d436845a1b0ec92331d96f1b712cc2754fb3988e08c57dff963b9626df13e1af9e7812d0787d8964d6f6181bd04bc7bf20b00f1bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
640KB

MD5
876205e6b6a3064e8faab42a4e0cd9bd

SHA1
213efb3267aa39f73e23405d65fe28ce8b980079

SHA256
e22e0c7d74590680fdbcafa0eee01330dc5907dc868c1c96c1495c880b881375

SHA512
a57b108cbffb61b0ca24d247cc79abaf60fd4c8723852964b057ac9e8a07be3d97812815dfd752b8ce8f630f5bf2fb3e1e81692be5f6818fd01a42802927a195

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
384KB

MD5
2923b4d49ad63a83a6e5b775072a46a7

SHA1
493e654b4548aacdfe05a83b54195ce3ff57b7c5

SHA256
964f7a91abb82e49dc2b5ec4f7c8bb2f32761eff218a9ca826aceb1741a95424

SHA512
9e2686e9437a1f6cfd7ba2e15ec12a345f7d6bcc4b4fcb30a552b13926cb20472d61761d049cfe3a40ad7391de526715137571b3fe83e74388cf1d6e42989c74

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
2a7d1ac5759ddaeee926b4c855574563

SHA1
ae349f7c7c1a5eaf72de02c7fdf07e5c7e9cd62b

SHA256
42083bc30b248714747947f2e171f690b5fd9f9b5273341f53fa6b9d0b5a8eb6

SHA512
e22e5acc4c2db4572c65ff75c7df565a92e11c8171d3a7c67887821f5842adbdce64b6d9b4fe9f83ce731a04a0be12980f0e4ef86583a083078a3dd99c35b33b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3b9c6102d7f13277d45ba52cc5a22dd0\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ef124ed9ca0c7c223875893744318f1b

SHA1
8ae59575fe30b726a177c779797d418be8a74266

SHA256
3a97f53b5783d8c897835a6c71d3aafbd5fa002d02358a5440da1a51420f2bd2

SHA512
182946f49db2a26fae7ee7455544424e629d19be7f1cf268d6daf4762a05032c53f3a68033ddf35bed157ed311ed9baa4b7d824720fb31f8869bfc611276f33a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\dc9d9fc39bb8362dfb9ff7f0e7baf98e\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
6fab4ca2cae766c8ea452a0e7453e7a4

SHA1
921c217e9ede1abced99985858f0b673ffaaa30c

SHA256
7c63af73d02f926ab491de29f71e815a4e122f239d7a46230bff91ac0b5566e8

SHA512
f2e9129ee657967b0ab5f41ed05a8920668d455126ba246f726c0db3adc255cac4a6fd4516f73d7fc6181ebc7e6e9077ceb35bc7c3a869cce316f40c678641da

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\dda1e184e569dab19298b4934452242f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
712b34af1248a18bbfaa353307c69e03

SHA1
528bba0d73d1f6257e7aefe6b239d88a21717651

SHA256
de3d3a39077741217fdba417ba4c928252e9b8f5b143e611ae87db1d1a360c1e

SHA512
48f22329fcf04232dbda78cd68c6d33c20e7b4fd0a0df0f908757118e9eeaf6a19bc720db4856d6ce785fc29728f05137a65524bef10897904b508c887acb32d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
7ad3bec83ef9a12e64c7ddfa9c14a953

SHA1
ad05e068472bcfbee2fa6ec8d45e1b08a8b47815

SHA256
13cbc0424611ee1cac6d6fadb03e9c5d61cae81dbd77c0d272575696de2f9d8f

SHA512
5a054d6bceb268e65f81a916c623820f03539920d3ad47ce4cc3ed9a3f1b71769683ae88f87378e558d57c67836b05c0144f6051e0730bc46dacf3f118bff1c2

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
cb2a726ee5bd0d1e6820262d99aa3f23

SHA1
8a62e1a84d8699e12f6240350024a891375fd31c

SHA256
4de2470bbe040627e3aeb96f96b05026c62b1bf45cb3e9c17014d1c06ab6fd3c

SHA512
2493b151b8f85d59103bd7c15084c009943ae0848c12c0f5d35fe6cc5c92b36bbb25450993b5358665e326485de5a96182f6a236f81d61f2a5a5786538e89bb9

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
c8eb4c5f6724fa49171b832098b0ba31

SHA1
f0d2dad37a99b702b43a0cfd6cd5fa323787f26a

SHA256
e988d4e76e3f45dbfb333c12ad5eed1736f4a1524e8991c66fa0cdc29b4a482e

SHA512
187353211b77156a227a8a81da2618265722a43c744aa99d86a0f0f80227221d911a575313425727352737a5ae17f53254295d4f5fee8835e76f71781c336f9b

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA860.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC75.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
46f52c1db34ea020dbb58e67c985af4e

SHA1
37e95c259ae753e3960f69df4d0c7054c38ac122

SHA256
2a2ab387c02ed1b35fcac1a379ec52c7b0136b98ace48ee780d18928ba91f89a

SHA512
a9f09e6f57ec2647b057f555f9bcb48963c571acb7d625301cf4db94088efe03a8bf0c5860ea1011a2a5b97553a8da4d5f227afcd5a159c3c3e2192a500a35be

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
dc6507d83a894d89ac310709f187e4b4

SHA1
64d56283aa85617cadb128c9bc2c28d96b68f30b

SHA256
b185fc006d4d05fc682111729a72a2fed396863a19201e623238957b234ba285

SHA512
2223d8bc9e268d55f5ea891d55cb7ced0648df3056d7739e2cfd43cbeca5dddff1a83de8d798d3c8c51ed49943999599ac022334843512304868be914f8aa40b

Download Submit
memory/540-172-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/540-171-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/540-295-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/540-178-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/852-375-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/852-365-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/852-370-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/852-388-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/856-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/856-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/856-276-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/856-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/856-145-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/884-130-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/884-195-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/884-124-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/884-125-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1064-384-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/1064-378-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1692-320-0x000007FEF47C0000-0x000007FEF515D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-202-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/1692-200-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/1692-198-0x000007FEF47C0000-0x000007FEF515D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-196-0x000007FEF47C0000-0x000007FEF515D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-197-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/1692-331-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/1692-328-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/1692-321-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/1956-201-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1956-140-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1956-146-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1956-148-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2144-357-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-346-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-340-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2144-358-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2144-333-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2164-93-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2164-170-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2204-342-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-343-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2204-327-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-322-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2204-315-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2244-157-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2244-288-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-183-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2244-184-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2244-159-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-164-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2244-309-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2244-181-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2332-186-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2332-192-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2332-312-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2332-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2432-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2432-136-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2464-326-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2464-297-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2464-302-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2464-308-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-325-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-359-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-372-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-373-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-374-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/2524-348-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-352-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/2660-281-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2660-289-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2660-292-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-306-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2660-307-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-122-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2776-102-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2776-97-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2776-96-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2796-156-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2796-45-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2796-12-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2796-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download