513b2379e05a8fe5ed1ca4c7092dad5376353e45a6fdfd4657af338d6d32df1c

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 17:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f5daa46ec41847d2efdaae8c67cb74b0N.exe
Size

1.5MB
MD5

f5daa46ec41847d2efdaae8c67cb74b0
SHA1

c4aa5a7b6756253ee0f77c043ab14473201db2a7
SHA256

513b2379e05a8fe5ed1ca4c7092dad5376353e45a6fdfd4657af338d6d32df1c
SHA512

f7062841f743e962bb66e7c64ca5074152a2049ea2b4b88fcac78b2d464333238db8bfafc65f15b8f2261b722c49110b57426ba10f0b87de2b9c9adf7808931b
SSDEEP

24576:9D8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:9DgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 61 IoCs

pid	Process
464	Process not Found
2712	alg.exe
2968	aspnet_state.exe
2784	mscorsvw.exe
2740	mscorsvw.exe
2572	mscorsvw.exe
2476	mscorsvw.exe
3048	ehRecvr.exe
2096	ehsched.exe
876	elevation_service.exe
1828	GROOVE.EXE
1720	maintenanceservice.exe
944	OSE.EXE
1684	mscorsvw.exe
2964	mscorsvw.exe
2636	mscorsvw.exe
2044	mscorsvw.exe
2260	mscorsvw.exe
1676	mscorsvw.exe
1752	mscorsvw.exe
2544	mscorsvw.exe
2280	mscorsvw.exe
2148	mscorsvw.exe
1296	mscorsvw.exe
1076	mscorsvw.exe
1844	mscorsvw.exe
336	mscorsvw.exe
928	mscorsvw.exe
836	mscorsvw.exe
2736	mscorsvw.exe
2412	mscorsvw.exe
2156	mscorsvw.exe
2616	mscorsvw.exe
2116	mscorsvw.exe
1328	mscorsvw.exe
2164	mscorsvw.exe
956	mscorsvw.exe
2204	mscorsvw.exe
1344	IEEtwCollector.exe
2728	msdtc.exe
1412	msiexec.exe
2608	perfhost.exe
2516	locator.exe
2996	snmptrap.exe
1816	vds.exe
2820	vssvc.exe
972	wbengine.exe
1040	WmiApSrv.exe
2908	wmpnetwk.exe
2388	SearchIndexer.exe
1548	mscorsvw.exe
672	mscorsvw.exe
2196	mscorsvw.exe
2112	mscorsvw.exe
1268	mscorsvw.exe
2268	mscorsvw.exe
1328	mscorsvw.exe
2124	mscorsvw.exe
3016	mscorsvw.exe
436	mscorsvw.exe
632	mscorsvw.exe

Loads dropped DLL 20 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1412	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
760	Process not Found
1268	mscorsvw.exe
1268	mscorsvw.exe
1328	mscorsvw.exe
1328	mscorsvw.exe
3016	mscorsvw.exe
3016	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f83711dad264f17b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe

Drops file in Windows directory 58 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAF81.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB4DE.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBAB8.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	f5daa46ec41847d2efdaae8c67cb74b0N.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5D6BAAC8-7E62-4E44-8FA5-D7EB0A2A5C95}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{5D6BAAC8-7E62-4E44-8FA5-D7EB0A2A5C95}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c032df3ecedada01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1808	ehRec.exe
2968	aspnet_state.exe
2968	aspnet_state.exe
2968	aspnet_state.exe
2968	aspnet_state.exe
2968	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2296	f5daa46ec41847d2efdaae8c67cb74b0N.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: 33	2236	EhTray.exe
Token: SeIncBasePriorityPrivilege	2236	EhTray.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeDebugPrivilege	1808	ehRec.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: 33	2236	EhTray.exe
Token: SeIncBasePriorityPrivilege	2236	EhTray.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeDebugPrivilege	2712	alg.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2968	aspnet_state.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeSecurityPrivilege	1412	msiexec.exe
Token: SeBackupPrivilege	2820	vssvc.exe
Token: SeRestorePrivilege	2820	vssvc.exe
Token: SeAuditPrivilege	2820	vssvc.exe
Token: SeBackupPrivilege	972	wbengine.exe
Token: SeRestorePrivilege	972	wbengine.exe
Token: SeSecurityPrivilege	972	wbengine.exe
Token: SeDebugPrivilege	2968	aspnet_state.exe
Token: 33	2908	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2908	wmpnetwk.exe
Token: SeManageVolumePrivilege	2388	SearchIndexer.exe
Token: 33	2388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2388	SearchIndexer.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2236	EhTray.exe
2236	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2236	EhTray.exe
2236	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1324	SearchProtocolHost.exe
1324	SearchProtocolHost.exe
1324	SearchProtocolHost.exe
1324	SearchProtocolHost.exe
1324	SearchProtocolHost.exe
584	SearchProtocolHost.exe
584	SearchProtocolHost.exe
584	SearchProtocolHost.exe
584	SearchProtocolHost.exe
584	SearchProtocolHost.exe
584	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1684	2572	mscorsvw.exe	43
PID 2572 wrote to memory of 1684	2572	mscorsvw.exe	43
PID 2572 wrote to memory of 1684	2572	mscorsvw.exe	43
PID 2572 wrote to memory of 1684	2572	mscorsvw.exe	43
PID 2572 wrote to memory of 2964	2572	mscorsvw.exe	44
PID 2572 wrote to memory of 2964	2572	mscorsvw.exe	44
PID 2572 wrote to memory of 2964	2572	mscorsvw.exe	44
PID 2572 wrote to memory of 2964	2572	mscorsvw.exe	44
PID 2572 wrote to memory of 2636	2572	mscorsvw.exe	45
PID 2572 wrote to memory of 2636	2572	mscorsvw.exe	45
PID 2572 wrote to memory of 2636	2572	mscorsvw.exe	45
PID 2572 wrote to memory of 2636	2572	mscorsvw.exe	45
PID 2572 wrote to memory of 2044	2572	mscorsvw.exe	46
PID 2572 wrote to memory of 2044	2572	mscorsvw.exe	46
PID 2572 wrote to memory of 2044	2572	mscorsvw.exe	46
PID 2572 wrote to memory of 2044	2572	mscorsvw.exe	46
PID 2572 wrote to memory of 2260	2572	mscorsvw.exe	47
PID 2572 wrote to memory of 2260	2572	mscorsvw.exe	47
PID 2572 wrote to memory of 2260	2572	mscorsvw.exe	47
PID 2572 wrote to memory of 2260	2572	mscorsvw.exe	47
PID 2572 wrote to memory of 1676	2572	mscorsvw.exe	48
PID 2572 wrote to memory of 1676	2572	mscorsvw.exe	48
PID 2572 wrote to memory of 1676	2572	mscorsvw.exe	48
PID 2572 wrote to memory of 1676	2572	mscorsvw.exe	48
PID 2572 wrote to memory of 1752	2572	mscorsvw.exe	49
PID 2572 wrote to memory of 1752	2572	mscorsvw.exe	49
PID 2572 wrote to memory of 1752	2572	mscorsvw.exe	49
PID 2572 wrote to memory of 1752	2572	mscorsvw.exe	49
PID 2572 wrote to memory of 2544	2572	mscorsvw.exe	50
PID 2572 wrote to memory of 2544	2572	mscorsvw.exe	50
PID 2572 wrote to memory of 2544	2572	mscorsvw.exe	50
PID 2572 wrote to memory of 2544	2572	mscorsvw.exe	50
PID 2572 wrote to memory of 2280	2572	mscorsvw.exe	51
PID 2572 wrote to memory of 2280	2572	mscorsvw.exe	51
PID 2572 wrote to memory of 2280	2572	mscorsvw.exe	51
PID 2572 wrote to memory of 2280	2572	mscorsvw.exe	51
PID 2572 wrote to memory of 2148	2572	mscorsvw.exe	52
PID 2572 wrote to memory of 2148	2572	mscorsvw.exe	52
PID 2572 wrote to memory of 2148	2572	mscorsvw.exe	52
PID 2572 wrote to memory of 2148	2572	mscorsvw.exe	52
PID 2572 wrote to memory of 1296	2572	mscorsvw.exe	53
PID 2572 wrote to memory of 1296	2572	mscorsvw.exe	53
PID 2572 wrote to memory of 1296	2572	mscorsvw.exe	53
PID 2572 wrote to memory of 1296	2572	mscorsvw.exe	53
PID 2572 wrote to memory of 1076	2572	mscorsvw.exe	54
PID 2572 wrote to memory of 1076	2572	mscorsvw.exe	54
PID 2572 wrote to memory of 1076	2572	mscorsvw.exe	54
PID 2572 wrote to memory of 1076	2572	mscorsvw.exe	54
PID 2572 wrote to memory of 1844	2572	mscorsvw.exe	55
PID 2572 wrote to memory of 1844	2572	mscorsvw.exe	55
PID 2572 wrote to memory of 1844	2572	mscorsvw.exe	55
PID 2572 wrote to memory of 1844	2572	mscorsvw.exe	55
PID 2572 wrote to memory of 336	2572	mscorsvw.exe	56
PID 2572 wrote to memory of 336	2572	mscorsvw.exe	56
PID 2572 wrote to memory of 336	2572	mscorsvw.exe	56
PID 2572 wrote to memory of 336	2572	mscorsvw.exe	56
PID 2572 wrote to memory of 928	2572	mscorsvw.exe	57
PID 2572 wrote to memory of 928	2572	mscorsvw.exe	57
PID 2572 wrote to memory of 928	2572	mscorsvw.exe	57
PID 2572 wrote to memory of 928	2572	mscorsvw.exe	57
PID 2572 wrote to memory of 836	2572	mscorsvw.exe	58
PID 2572 wrote to memory of 836	2572	mscorsvw.exe	58
PID 2572 wrote to memory of 836	2572	mscorsvw.exe	58
PID 2572 wrote to memory of 836	2572	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f5daa46ec41847d2efdaae8c67cb74b0N.exe
"C:\Users\Admin\AppData\Local\Temp\f5daa46ec41847d2efdaae8c67cb74b0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2784

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 1f0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d8 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 28c -NGENProcess 1f0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 26c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 25c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 280 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 280 -NGENProcess 1d8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 278 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 2a4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 260 -NGENProcess 1f8 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 24c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 224 -NGENProcess 1f8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1c4 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f8 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 27c -NGENProcess 1d0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d0 -NGENProcess 1c4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 270 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 27c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 1c4 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1c4 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 29c -NGENProcess 27c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 278 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 270 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 278 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:2964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3048

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2236

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:876

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1720

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:944

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:2528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
590f45c37e63792b9fdac7dd5394f9fc

SHA1
b3813a9543b640680b35e8b15228628d9a6b1a7f

SHA256
e9b7f2303fe90f9b787dddee99b952ef42415d7b11e14119046aced0473fa51c

SHA512
73102ed230068bdfe8300799ad8b922227eeeed15d146f7cc0c7fd3ec0b9a98206107c1f6d88caffaa7fcb815f1b368a8d4e73f88ad6dfd35b386bcead35426d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b58f7c24468fa68cb29bb6b34d36a48d

SHA1
1fdd83c1bfd844d81cbf9680251f7d041d107afc

SHA256
9c8fe220ca438b19b409d7b7bd400547f3fe2b7e1006dad1ce9bf642f6788cb0

SHA512
d22e04e382176957d8d06b82c0d5be6ea5b23802925debdb6b349f9d718b77d3cc01bacbe36d5b6d6f45419295ab3f66975075f98ff3bd134a7862b1e71d2ded

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
fdfec74eedb0109b00223574f174ff9b

SHA1
e50f1d907b79e04cd53b8b94eb8904b070b5d18e

SHA256
23a6f82a2ebe371b42c13abb2fa97cc5546f1a38ffa1a736b524d495c844b32f

SHA512
af8917f5fa0ce43ed74c84f0dcf9f062232b644ada40d3e243c48f7c8f24005082052f1a2cc7be9ec94bf3803738142c7e36be7f55ac8f0f8e7f2863b647501f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f78d4e1770e640068a80d95018c464b0

SHA1
95cb3caf26d92702b02889fa67e2cab07b0cbd7a

SHA256
64338eb49a0954fbc26c4c27197fd843c2505f089f69878c63bc4e394856b3e6

SHA512
c1e3a2ae4f275be66a775b427b8689edb91060fce5e562b372eebb616608d6ca8bed31ed1e324c7e4e27ed1d327330a3ea390eec4c95128ddc2ef924d9d36e1c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
bb36a8a60cdaf5b1521090f179bb2af0

SHA1
c08c363066b77fc117ddf01c3273c300b96ef27c

SHA256
bfe69a70fed5257cad9abc2035313afaa8dd184519d3a7e27691c9ec2950404e

SHA512
8b49d95350dae5be558469dd95abb501231bdfaefd5f046bb00fb3e285e51929baea2c164c09d3b11570d23d666fc4794022cc004044a13ab54efcdf5be48090

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
d52e49dffd12437d9d4e3701c11e0bd4

SHA1
c72a712923aa90252933f6a05b19de817f869156

SHA256
72af62a67a345206ca225acab2712ebd0492b91905b0e43ca6a3b5da10af2606

SHA512
fbfca80feb817bd41f7907978838dfe60e9c41f2c811c86a199be108ce5b3f63989d203d56ff170e011104c2c21136b34dc65da8064b81667b3710309fe88c92

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
f31ed7b4d9717f5a04b82e939116d109

SHA1
6330be1342d7db9fbc099767feba22dff50a0efd

SHA256
996c928ea17f5ecfeaf0f4d9ae32f920cf1dbbcb0e15cec032e8eb4f934182da

SHA512
cb202d686aa1f5e67176639672391f342387080dcae755f040abda75b5d8c27929fc052d164fd477599ac0bb492e7d4f9a81ad67babf433e580c2538ad32306e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
1256490c11d9ea066fc8a33335da536c

SHA1
ee184af70ddba8a9b5792da7c709dd70a166a123

SHA256
8bc533bc81ada3731fe6ce97a6df826fdf858271f025df0d1c01cd82f3c1af7b

SHA512
6ab60d999cbe7659f55aa77fbbf522de2871695fae8eff942767310e593b9eb06511924eca031d4de5378958b2f79c87449fe8f540f1fe9fd1cb6131e0b21458

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
105e4fa2572fea7a8ab253f6c949bb03

SHA1
663f0e6ef5a96379e501ecd31f54f65bb8433305

SHA256
747112d64251a85473875f9077cb2b8701f22682a0734b5d58e9550fe09e42ba

SHA512
7a348e45c3d2543c0729e2641e6a11f488e47de7fb80e7d760fac279d12391f2f642f62d83fc2870e5c39f44c7582e709297017caa4541d4a98147f536dd2e1d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
57e0eb556d463818808b9c18d8b82331

SHA1
93edbdd9d53e579592c9b29646fd71a748098c04

SHA256
d7ac03a2446322836d732bc16092f27aa3d41eabb36ee3e0c02722e9e8aa31ed

SHA512
cabfe9fd8ff58e744de57f363b2cf750b3ccba068dcefc4c78d4359f992c9acd4be5e52fa9ebfe17c7e445104c8c7384e0cdadf6ed4b863b3e7a342383bb59c8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
969126dd309b5b9246534b1b76f90616

SHA1
c092420f2b164119b6af4e3f860ff576dac434d2

SHA256
f8beb811c72aaba3cacbbe3d65968d427c9a0c0f4a1bc9bb418da1e87f1899c8

SHA512
47d0e31ac6f12cf16a5a5b9767d87b876428a004059875fe71ca93cf961818c677cc2c195a722a1326bdaae35e6c0474d21dfc114146e1565bf8506e91703146

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
8978484643587e9fe1726cfe98237fe6

SHA1
0d165697f33b218bb6bc5af611715fe1ec33d1a9

SHA256
1301252329f802aa80d8a30c9d4b7dbcb54112878b0f836a5a8cbbe4c70c340c

SHA512
a2f246a7cd08d8a8afbdc359b55f5645ed5b410e9dc3d3cda0064b0f40f7c13727d1de66f3434dcf5ef93ec32d16092b622df5835187852e1c8d4b334fb73875

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
583c1efc7587780f3df6149df433d08d

SHA1
8b9b3a72b47d9f63ad98e375a568c8edee77ea0c

SHA256
1a1c83169c9c1a3ce87c19242b4f830abb58d7b2f9379dc3d863ed05a777f9aa

SHA512
d03361e1af2df3c48cff5b49c9e1bc8b1d0c6d2faa7cd436dae8b3d24f3cbf18f91c5a485ad8720eb94855469851c870ac770dc1b89fefc21a1566b5a014b28c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
8c58afe7c25572ba252043580be6825b

SHA1
4e4d24a5de679b5e6f7695cd915e252a8b5587a8

SHA256
a927b50e2796b62bd28737f7e06dc8c6a81eaf7e8f9ca57cb606731c7ae7ae2d

SHA512
97d7c20073b9fe48dae99b704dbf042ad50f47d3199d9645d668243e43fb78f641fce6c40a7174350b66e1c12abe78038e2c1270e07ad917f20ca0862b32e927

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
2944f27ae8d03d53f54e7d74a9a97d45

SHA1
22f033563b5a421f2a31c08f049073bc58a6eddd

SHA256
cab7264b7acc3d5556152dbdb1a3cdf3d765be22adcc0354174edb8c400a81f1

SHA512
fbe86a161cc61d3d8ad4d84cc7b00d27fe0f56e4ba88cd50cb843b3390c90506762cce99a2ffb9f6caedcce57b098de1ea877ad6b7e1a1c1c5191a94a71e7933

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
3874e318cbcedf1984513c8a74de782c

SHA1
3c91e67a68971b5f51c95d2c72c3e482e454f3e0

SHA256
4bb6b46b5f44a5ec44fb6abb09f85335c5f7e21f761935a42a63def00509478f

SHA512
f699733753dec4fa756ac30fc9b0fb6d26be1e885cb58b2ecb9c3ae842fdcf1cb08cc50f3c33de6dd8e9c93a875933c5e4a4d05146eb1240ba057e3a8bdd1385

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
41b5ab4b5c9da162cd3ad0973f0e18ef

SHA1
5815b852b98ec0b985403d3901e71147614b3303

SHA256
dd7b199c2e773d5d0642a87c6696f3d3e66ef0a6861a7542584102a6bfbebb1e

SHA512
34f8ddb39473ecc17215334ea23e6c3ed52dfa71398f9cb659b6ff762e710a246adf4a630fe7009f20592c7d5abd8915d93f0290ba2be837be4dc9501de8cacb

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
ef6c1bf1000f2dbbf46ef1e86fcbe3c8

SHA1
0452ac2e94efc664ef9220a87d6a4ca3fee2892e

SHA256
62be5d2a0bada2fe4dd3dae9ece8dbadc228aa582049c24572951f9915a3c629

SHA512
adb727e007b33056180ccef2511b6dd1d6f99885fe82c323a37adb8717c344f9a3359102749e67715424f301ce4d4ff3124d5f96f12d289b1e5089bada90df05

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4a9979bf495205f278616a7e93010133

SHA1
11048836ed81700bfa30e57c24c7e2d34fd9b332

SHA256
5c4f38948a61b6d85caa1399cb3ec9bbf094a6f185112b0347017206e974593d

SHA512
3ee63978e18eea55d0533a6317618d94cd94e90d16fe20aac2ccf156352aabb20ff74630251475a78a32e01083e373d071c4452484de65651c46e8e382d25df7

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
9986940436479b088dcacc42cc3e93cb

SHA1
90193faae097eeef4d66f1577f3dfd544d757bc2

SHA256
016d4eec7eac8b6497815abbaeafc870833e7c3348ce98d53b692ea30cd39ae7

SHA512
aa98faaae213c6928166cdf17d58f673ac42d8a68e03d94da96824e4b620ca48f6d18266e294fd0887b4f7ae85225d735fa4bca9626b8e1e3ea7a0c4cfe69610

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
bb70dc8f27c1ca720df30712a1ee2a4f

SHA1
583ae652577a9e59e5ea073b65898bba90c43678

SHA256
1463ecceb379e90db6d772be37da8c1fb0b62804b400682859ec92916b0dc99a

SHA512
34a02ddbbe5acae224a720b3f5db694982658b88528d06534ae99a35d88ba8df74bead955f7288c0812fc48a04eedf54e389afa920c3b315689f52d61d2c71ca

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
83d877eba4a6fb34b25df00303248ae7

SHA1
0def9b27012a540063e3221a55ae6e5cfa27c158

SHA256
d3b06eb589c1211a438862cb42a936512d26dd30a9d9a1b0a3bee5ef03458e0d

SHA512
897a099bcb7d861a2aec845a531062e92e8d1a5e9b60d277ada397c8726182bb7cf697264fd9f76054ebcbf9346ead0324fe7b942fc89d89f967272e4f90ba76

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
f72ac1598d67da01585efc116e42e1f2

SHA1
ad60c0e5eb34408e557050eb3e7c19f70f4c3108

SHA256
4eb10154f8a6c390552d2e4de2dcea11462af77064e82a75012c826cf9859cac

SHA512
3e5f9fe0e0a184f766b7cbd58a65040c29b6164135e520122a0fdcd9cdb4e145d72461e2fc625f410259b3a5ba0726d053047d455b6a7b740fa74b0ab1adfacd

Download Submit
memory/336-511-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/336-490-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/836-545-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/876-343-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/876-145-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/928-512-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/928-517-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/944-181-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/944-413-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/956-651-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1076-477-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1076-450-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1296-453-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1296-446-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1328-625-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1344-670-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1344-957-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1412-698-0x00000000005B0000-0x0000000000742000-memory.dmp

Filesize
1.6MB

Download
memory/1412-696-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/1676-368-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1676-344-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1684-240-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1684-208-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1720-172-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1720-176-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1752-370-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1752-373-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1828-369-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1828-159-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1844-499-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1844-479-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2044-297-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2044-321-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2096-590-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2096-123-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2096-322-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2116-612-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2148-425-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2148-442-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2156-587-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2164-628-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2204-654-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2260-346-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2260-323-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2280-415-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2280-428-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2296-8-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/2296-1-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/2296-148-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2296-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2296-6-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/2296-93-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2412-576-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2476-100-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-94-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2476-101-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2476-267-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2516-723-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2544-416-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2572-887-0x0000000001D00000-0x0000000001DA4000-memory.dmp

Filesize
656KB

Download
memory/2572-893-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2572-895-0x0000000001D00000-0x0000000001D66000-memory.dmp

Filesize
408KB

Download
memory/2572-894-0x0000000001D00000-0x0000000001D2A000-memory.dmp

Filesize
168KB

Download
memory/2572-892-0x0000000001D00000-0x0000000001D24000-memory.dmp

Filesize
144KB

Download
memory/2572-891-0x0000000001D00000-0x0000000001D88000-memory.dmp

Filesize
544KB

Download
memory/2572-890-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/2572-889-0x0000000001D00000-0x0000000001DEC000-memory.dmp

Filesize
944KB

Download
memory/2572-235-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2572-888-0x0000000001F80000-0x000000000211E000-memory.dmp

Filesize
1.6MB

Download
memory/2572-886-0x0000000001D00000-0x0000000001D8C000-memory.dmp

Filesize
560KB

Download
memory/2572-885-0x0000000001D00000-0x0000000001D1A000-memory.dmp

Filesize
104KB

Download
memory/2572-79-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/2572-74-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/2572-73-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2572-884-0x0000000001D00000-0x0000000001D1E000-memory.dmp

Filesize
120KB

Download
memory/2572-883-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/2608-719-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2616-601-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2636-301-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2636-273-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2712-13-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2712-21-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2712-20-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2712-110-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2728-683-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2728-1003-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2736-558-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2736-542-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2740-62-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2740-57-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2740-55-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2740-92-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2784-39-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2784-71-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2784-40-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2784-45-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2964-236-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2964-266-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2968-27-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2968-28-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2968-36-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2968-160-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2996-743-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/3048-117-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3048-295-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3048-118-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3048-662-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3048-111-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download