fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
Size

1.6MB
MD5

a3c0d1b7fc5bebd106361df406f34190
SHA1

517a7663c2bd33f3e44a5d66c42351bd918d6cae
SHA256

fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0
SHA512

baf061b03b36c6ca5e368c1d47dbd32773bbd97a4b8626657205179690783fb92280205f681e0c103607e16e8a3e4330f9c28c2a49f9ed32cf21fe6109887eaa
SSDEEP

12288:TbuJ9fcXbz0TfxSUw7UbwviW8me3f8+K4ue61E1AsTwn4t9sjGIB1nWWcXlP7G:3u9fc0TJSUAUbLMevZesQ4+nOXVG

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 63 IoCs

pid	Process
460	Process not Found
1648	alg.exe
2720	aspnet_state.exe
2772	mscorsvw.exe
2544	mscorsvw.exe
924	mscorsvw.exe
1876	mscorsvw.exe
568	ehRecvr.exe
2056	ehsched.exe
2292	elevation_service.exe
1584	GROOVE.EXE
1736	maintenanceservice.exe
936	OSE.EXE
2244	mscorsvw.exe
2236	mscorsvw.exe
2924	mscorsvw.exe
2744	mscorsvw.exe
1132	mscorsvw.exe
1048	mscorsvw.exe
1568	mscorsvw.exe
2644	mscorsvw.exe
512	mscorsvw.exe
2564	mscorsvw.exe
2896	mscorsvw.exe
2012	mscorsvw.exe
824	mscorsvw.exe
1344	mscorsvw.exe
1940	mscorsvw.exe
2356	mscorsvw.exe
2508	mscorsvw.exe
1076	mscorsvw.exe
2904	mscorsvw.exe
2960	mscorsvw.exe
2876	mscorsvw.exe
2368	mscorsvw.exe
1100	mscorsvw.exe
1040	mscorsvw.exe
832	mscorsvw.exe
2688	mscorsvw.exe
2912	mscorsvw.exe
1104	mscorsvw.exe
556	mscorsvw.exe
1348	mscorsvw.exe
2280	mscorsvw.exe
1612	mscorsvw.exe
2748	mscorsvw.exe
2920	mscorsvw.exe
2112	mscorsvw.exe
1528	mscorsvw.exe
1080	mscorsvw.exe
2140	mscorsvw.exe
840	mscorsvw.exe
556	mscorsvw.exe
2608	mscorsvw.exe
876	mscorsvw.exe
1220	mscorsvw.exe
2252	mscorsvw.exe
2016	mscorsvw.exe
2116	mscorsvw.exe
3036	mscorsvw.exe
748	mscorsvw.exe
2884	mscorsvw.exe
2876	mscorsvw.exe

Loads dropped DLL 24 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
1348	mscorsvw.exe
1348	mscorsvw.exe
1612	mscorsvw.exe
1612	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
1528	mscorsvw.exe
1528	mscorsvw.exe
2140	mscorsvw.exe
2140	mscorsvw.exe
556	mscorsvw.exe
556	mscorsvw.exe
876	mscorsvw.exe
876	mscorsvw.exe
2252	mscorsvw.exe
2252	mscorsvw.exe
2116	mscorsvw.exe
2116	mscorsvw.exe
748	mscorsvw.exe
748	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9ba46ae7f1301b95.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP420F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP52F1.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP45C7.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5541.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4F39.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2436	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	468	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: 33	1248	EhTray.exe
Token: SeIncBasePriorityPrivilege	1248	EhTray.exe
Token: SeDebugPrivilege	2436	ehRec.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: 33	1248	EhTray.exe
Token: SeIncBasePriorityPrivilege	1248	EhTray.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeDebugPrivilege	1648	alg.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeDebugPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	924	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1248	EhTray.exe
1248	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1248	EhTray.exe
1248	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2244	1876	mscorsvw.exe	44
PID 1876 wrote to memory of 2244	1876	mscorsvw.exe	44
PID 1876 wrote to memory of 2244	1876	mscorsvw.exe	44
PID 1876 wrote to memory of 2236	1876	mscorsvw.exe	45
PID 1876 wrote to memory of 2236	1876	mscorsvw.exe	45
PID 1876 wrote to memory of 2236	1876	mscorsvw.exe	45
PID 924 wrote to memory of 2924	924	mscorsvw.exe	46
PID 924 wrote to memory of 2924	924	mscorsvw.exe	46
PID 924 wrote to memory of 2924	924	mscorsvw.exe	46
PID 924 wrote to memory of 2924	924	mscorsvw.exe	46
PID 924 wrote to memory of 2744	924	mscorsvw.exe	47
PID 924 wrote to memory of 2744	924	mscorsvw.exe	47
PID 924 wrote to memory of 2744	924	mscorsvw.exe	47
PID 924 wrote to memory of 2744	924	mscorsvw.exe	47
PID 924 wrote to memory of 1132	924	mscorsvw.exe	48
PID 924 wrote to memory of 1132	924	mscorsvw.exe	48
PID 924 wrote to memory of 1132	924	mscorsvw.exe	48
PID 924 wrote to memory of 1132	924	mscorsvw.exe	48
PID 924 wrote to memory of 1048	924	mscorsvw.exe	49
PID 924 wrote to memory of 1048	924	mscorsvw.exe	49
PID 924 wrote to memory of 1048	924	mscorsvw.exe	49
PID 924 wrote to memory of 1048	924	mscorsvw.exe	49
PID 924 wrote to memory of 1568	924	mscorsvw.exe	50
PID 924 wrote to memory of 1568	924	mscorsvw.exe	50
PID 924 wrote to memory of 1568	924	mscorsvw.exe	50
PID 924 wrote to memory of 1568	924	mscorsvw.exe	50
PID 924 wrote to memory of 2644	924	mscorsvw.exe	51
PID 924 wrote to memory of 2644	924	mscorsvw.exe	51
PID 924 wrote to memory of 2644	924	mscorsvw.exe	51
PID 924 wrote to memory of 2644	924	mscorsvw.exe	51
PID 924 wrote to memory of 512	924	mscorsvw.exe	52
PID 924 wrote to memory of 512	924	mscorsvw.exe	52
PID 924 wrote to memory of 512	924	mscorsvw.exe	52
PID 924 wrote to memory of 512	924	mscorsvw.exe	52
PID 924 wrote to memory of 2564	924	mscorsvw.exe	53
PID 924 wrote to memory of 2564	924	mscorsvw.exe	53
PID 924 wrote to memory of 2564	924	mscorsvw.exe	53
PID 924 wrote to memory of 2564	924	mscorsvw.exe	53
PID 924 wrote to memory of 2896	924	mscorsvw.exe	54
PID 924 wrote to memory of 2896	924	mscorsvw.exe	54
PID 924 wrote to memory of 2896	924	mscorsvw.exe	54
PID 924 wrote to memory of 2896	924	mscorsvw.exe	54
PID 924 wrote to memory of 2012	924	mscorsvw.exe	55
PID 924 wrote to memory of 2012	924	mscorsvw.exe	55
PID 924 wrote to memory of 2012	924	mscorsvw.exe	55
PID 924 wrote to memory of 2012	924	mscorsvw.exe	55
PID 924 wrote to memory of 824	924	mscorsvw.exe	56
PID 924 wrote to memory of 824	924	mscorsvw.exe	56
PID 924 wrote to memory of 824	924	mscorsvw.exe	56
PID 924 wrote to memory of 824	924	mscorsvw.exe	56
PID 924 wrote to memory of 1344	924	mscorsvw.exe	57
PID 924 wrote to memory of 1344	924	mscorsvw.exe	57
PID 924 wrote to memory of 1344	924	mscorsvw.exe	57
PID 924 wrote to memory of 1344	924	mscorsvw.exe	57
PID 924 wrote to memory of 1940	924	mscorsvw.exe	58
PID 924 wrote to memory of 1940	924	mscorsvw.exe	58
PID 924 wrote to memory of 1940	924	mscorsvw.exe	58
PID 924 wrote to memory of 1940	924	mscorsvw.exe	58
PID 924 wrote to memory of 2356	924	mscorsvw.exe	59
PID 924 wrote to memory of 2356	924	mscorsvw.exe	59
PID 924 wrote to memory of 2356	924	mscorsvw.exe	59
PID 924 wrote to memory of 2356	924	mscorsvw.exe	59
PID 924 wrote to memory of 2508	924	mscorsvw.exe	60
PID 924 wrote to memory of 2508	924	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
"C:\Users\Admin\AppData\Local\Temp\fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2772

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 1dc -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 1dc -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 1dc -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 1dc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 288 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1dc -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1f4 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2a8 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 2b0 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b4 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1b0 -NGENProcess 1e4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 248 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 244 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 24c -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 244 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:568

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1736

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
1b2489e05bacae1233ffe352c8634410

SHA1
ab6847e3a8aa6acaa8af1c181c85fba08d797800

SHA256
5dc45c209b03e032eea7fd0dbd9130d14974e536a8face37fec1993fe857fc60

SHA512
68ddc759f6c87f6f72539aed77123bef31235aa9e69a9b74b1ce67ef91247dd996150684057f489758341e165a79bee0b6125a0d64626cd72d76632f064289a0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
0b45d52ae59895d5327fd332ae68a0b8

SHA1
94b8008a357a8224344f30402eb51afee29c6f20

SHA256
f1f1079c52b94101c3bd360bb914aafb518f420ae5ef67e5bfc009b2966befab

SHA512
6fb8ce9d3f6bf704d27419127f79e7b0381f318e0ef301c0f72621301c36c38591ba048565dd547455c15ed972590b676bdbace59e1d8263f9c8146c4b68b8b0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
ae0d0617d32d4a16841d66ff9fb83714

SHA1
eb786de4d6b0714397bc8f176a36e631d708c372

SHA256
9e60e8e1aa399964d4436a0d2a5161aebfe63e9b29992d0d7ccdaed508c19051

SHA512
d21b3ab0e068a85c7f7a17af144cdd9cd06b8658d52d21c5e23937170744aec8ae5e31ce5ca17d229415d100dd08d1d2d4377b5419c76e60b8b4b470b74ffde6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
37c66c6a69e0285c431e92fc943fbc76

SHA1
a2c98500bf31d053c7f8e6b2b459dd34d5572920

SHA256
d55b397fd93a007b2e9d63f45bfd1438a4e5d301806f27b97980711f0f4e157f

SHA512
cd55b370ae4cefcd946d6c5bd422eda18f533583036a8a03f4b8b045a08a11e5beaa0ee2675392820289ab21648ef3d4e1880e0a3c71e98969327540beb48fdf

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
e074338ba1827f9a70216f454ca13bb0

SHA1
97b1e13b13b8dfa06c45c1d4e5742d2c9939a672

SHA256
35b36d81ffae01580e5e4f5ece90e7b1f15b7932cb83a862864f88f79983f187

SHA512
fc6e221d43b69f9add7bb819e4c1368f520a78a1f34cb98ed315c54ca123ea10c239424cd875b63ca99a048cd470e6856dc7646e0ca9fe4995e7339c78c93d64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
35b81da9a875394f0183640741518662

SHA1
0eecb90d054a3f3cb95043528b5b1a5620dce7e2

SHA256
0b1220311bf313ec2cfbbe31c156fd1cbd73d2a9f73a98ae386dacd6cbab2bad

SHA512
268bc7879d6d05423db5b0451883996cb6a7458eea44aad43cbda4a27491d81079d4e9cbd6256b1cf6c0937e1ec43de5e724e13dad4693254538703ce774896b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
eeda1886f748d8758b088c565884e642

SHA1
e6f4bfcc1c27bd024a92f6f5226af91039708cd2

SHA256
aa174071d18570f50bd2e643617ff329cc6788a35bcca3491c39d0c5d14cb87a

SHA512
e6a2677b58f2952595407ca6fe6a74a724c0461fbbc17d880b49034c12c1b936d25445c3eb23530be50b86789c281c64d255d0978d8271b3d18f9b5556658209

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
cc676999ba1b06c0f40e48579686c79c

SHA1
2a34279feb438efdc29e6c0aa0248a3c51f498da

SHA256
39e88781c55393fb195e554930a1031915a57283b37284d05399077bb975a13f

SHA512
b26507c2692b584a814c62b300eebc7c5de697454ff12ff27b52d8d444ad2f36eafb77b5e0f9620cc2a17ed0afdfd49be306093bb5efa3495a958188159932f6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
41075fcd7d77019cddff1a25374ad46e

SHA1
4c415eafae5aea067435af9d98579b856b829dca

SHA256
67ab704be7b55cf1786b496c69db7ffa37f400326a485e8eb6a33bfac33581f3

SHA512
b26079d3e39bd52703a533d84b723a7a0709522f02fd3a81ca03040e958d261235eb53b3a437fca5dd36f117fa7bdf6a88c2b3f7f46fe5e4c7c52467102f2fe8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
aa84c258d48b7d717e6d2bd3e59ea4f2

SHA1
76e5c6191821ae44249740782953e59800bb4909

SHA256
8b431ca168a6940f7c0e9db095009c574f75540515e2dc6127b990035328c940

SHA512
5ee522c78e05defbe43cfe0c0e26ddb81317a1f9e291cb90ebb82eacf6f0589aff084167ea996d220a452b78f4ad1003ac6bf4b7f77a5cd8f383948642de45a6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
ac2fe96573b9e154d5f489fcbaaf9628

SHA1
e888cf929ef2ff7548d36f613d04dea7c4c19970

SHA256
7f25383426c2b64d8ced5907015a62bc2600b176df90a6ee371fd66216c72c3c

SHA512
420233f2abde4fc0908c51f147ef076a14c2926089b33dc59e34b9a9bc04e48383e5731c058b9c367289ca254d4224c1423712dbb6a3c15aa7ce4bd841b36a09

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
299ba92f5e2e1edbcbf1ad3c20f62d1c

SHA1
d1734a610d1d2cd8b63dad8f7cc0694ca3a81d58

SHA256
429a6e72c141163d9fbfe21827880f8139a7b86771b3b59875b7647c938eef5b

SHA512
943888b027c6e97729d1ba17f61267a6d945c8986fee82636e8755e40fc39034d7aefe08a7b388c073b12062c80a4c752620356722618f9d9cbc2de778b208b4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
9660dad068d111463288968a3c10f5da

SHA1
ec54bd6e4ca0e8fd73dca83746a4a501fc5bd41d

SHA256
6b3d8d0e43644a0835620e4807925c71f233fc8dbf31420e595e276454f2850f

SHA512
21870497f5332ec723753c07e16999d8b59c62913e37f2bbd48ce1342f7217316c02369c29054910cbd6f2863654013950f541ec961addab723e0e0e8fc038ea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
669232c8118f728ffd262342943ee5e8

SHA1
4d2cdac1c7686cfdc42f886a6d8cb31906ff846d

SHA256
9189ef2eda8b7987792c8f8d7282bd3fb5af1d45b8a2e124b968b4b655f6884f

SHA512
7137d2852251c11d1d7a273837404520a6f9921db0ad68cd3dd70384a34f69fe53c9a65a5a04c12b0e3894c21e794b55bdf256c7e9ec4ed17233a038149681af

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c2397b97395453cb132814eff4c91a24

SHA1
1f21a9ce64b3135b9b2ce275aec4bb7672db36f0

SHA256
d7912602a6b40bcbf4534c361063b74234aa3407ad2255c10668ec47d1bc7d13

SHA512
c190de2677f62c1a0fc00ccaf2f3d50ba5032bae0f65d4c2bdee5b6f20b82fe08a73e5ed10c317d2a0764a4080694120122684044240bc11f0613567beaa7f77

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
e4d941f1b51d4a9c8b9140ba81f8c898

SHA1
ec218098642bd1b5d95a3ec3ee332e9d2b0d4744

SHA256
830e218922e4793424fc4f4df9b715fe6ede826141d943e8c84de01204d80e32

SHA512
53f89aed7c2d2657713217ecd029d771d4ee57244ec43baf710b5eb68f245cdfcfd89afa1fdc42f943eacb741d15208320c2641d30aa84f3ff34ac7c928d6a92

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
7e6f1e07bcf30a4d040b926de50924cd

SHA1
8220a9435605544afa32d332a16ce379ac2ed10e

SHA256
9295a011d16b76b6b0e00c7705d8a618385623ccbd12f5fd3ce6b66697e6d664

SHA512
859028704e2665fb12d9e01a9f1045a88c8630ad0f28e41dc9f9c9e7100aedebf7544e693fed5672f40f0d54de2e77e3f6a52fbd371aef5744b9ec6d0fbe4ff4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
1e4d4931b008a2668e85a2f06ed64404

SHA1
5eaf158a507ffac32b32f27b1948c17b0f8d3041

SHA256
c1e92846a785a39cc88b8c42c8c46fd895bb484b5faaa0cb426e730dbbbb1c4c

SHA512
1cac07a2b77e3875971bf3adad53d40bfbafb8c58a9e4bb86827ef6960ed297c18df79bcf9480d22076bd9c7c17572bbf86b2d62e14f58924aa928cc0707dda2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d9c9d81a27bf1e46e042d7558b904650

SHA1
11ed3d6394f5285671396886f677d6c3e090665a

SHA256
f629109089faa3a22075902b9391be9429093bab1ca5806f08c9cfe234c51b54

SHA512
7c9c621d42f319fc44a8b4727d7dc504c7dee23e4c200c3166c5049f85eff648d1549dc410706a4663e11763103666b814595e3867e461b7de4c061a26ddf430

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
e5322dde8c20479d6e84a74dde3551bf

SHA1
e255886e231312c9efe9a45568e10bdb111095a5

SHA256
74f6e53c283b8e5f8990b131e078eb47d0ac82d82b87f66b78b5a1cb7263f6eb

SHA512
54ce93102349b5bf695cb1e7483d2f98d94b3f230f31807f38e5bdec9443094872c19b69482ae5a1127906e1d103a9c2b135d743e905659b1cc9eb7cb15fc3d6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
f9f3e58b0f3bafbb85433d7bad520b64

SHA1
621e2a26b7af4dee869af9dd5d08993133479c27

SHA256
b9c09798a03bbaedc0f36a40552c9542bb8d63cb6c66effc151c563845801252

SHA512
eae62a28d5cfc5710394557c998e5fc7b4d3fb82c8707569bf83841262bff71f43827533c5b708b44cd3e5f06f09bbca8b0557b748c20732af45b4a81b944bdd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
284ae2f9c47c32a430143e60947385b4

SHA1
ee39e0d2b9caa961e57403d45a6cae42f95a0692

SHA256
046f70b3d73366e99776121db4448c3ed99fcc51b16e34cc9efa46abe668e42d

SHA512
9152545b853c17116f6fc4d8891965b174137bc40300f18cebd6b867bfa788b5d1311b600aa2928f2c1f8e3ae12d5539095462610244ebd2a19fa3b30f0be068

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7486f4b702496761a1bf0e1f7308944c

SHA1
79fd02ff891adbfed7423b3a97567315238a1d67

SHA256
379490fb4baf2011bb932a774095f834b1cb0430860f590e75784684a274d3fc

SHA512
3cf5019f937e00e12a45bcb52d7fe6ff21c9a8409797947bf795fa09b2ad98c3926336139c88ef205ecb607ea21663e764f63dc29fcefdb57199775ef2ed4931

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
d1f405fcf42d359362f1dab71ce3fec4

SHA1
0efd8adb04b8c1cca2a7ac36ec7fc52e24d636db

SHA256
ee8a72180bfca662e80e22111e1aecf2d47b9918a59591f5bad39971b7dd0ff0

SHA512
68786d1cd00534c64c6982aa8ea80d563c12a22d2c71a06112f597108aa58e989cb5c7a3baf9d178a0b18c00b821bc42f6c1c3ca4951963f364b9c985328525d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.5MB

MD5
47c70367ba008a7d72a7da86a53594c3

SHA1
896c1b0b92ab2267c6708ccd749dc3ad696396b0

SHA256
69070f7d5c31ffef6f0634f2765c352b7ba212a381b11c5efee87e9f5b5e432e

SHA512
2a4a9d20951e80f55b40a6fc9eb4be851f33d8f09eb0fbf2202936a3377a02f58aebcaa6c8bcfd7d9e6c1268da2ccc8d06b418a9559db16989d8bc7a4cac92b4

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3fbc7a11a212b5b77ddf7fd69d0efb00

SHA1
e83e38e03907bd08f90a8bb1617d70a8f5f3a14c

SHA256
8c8cc1130f8b80ec01083941b049daeeea8e03c2b36cf3acb1ea5e57bc3654ad

SHA512
3ceac0a45fc79451e5d4c7644f40553c0ab142445643dd955a9e47026f868250796c3f465223aac5ecc9b7750dfe01dcd5f909021fdf9e4a6872f00f1ace43ab

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
a864316f752be0b50fc1c10ac57e6be7

SHA1
1162c95fdb7399f89233331362a6f421ff97ce94

SHA256
ec657d04bfaa01a80c80f503b2c637a906be74b03f2956205821750680909d89

SHA512
26af2b824d5fad6e8096eabb181bffa8bc39c8644ea8d4ca285bedf6a6e07bb23f5a05c6092e1d0bee9c252cb9efda79c102b46c2f6ccdd32989486ad916c03b

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
498bc0dd92004dd422d7443f9031f3ba

SHA1
ac3b3a43de31f476fdfd2497a4a3bab17a00ba0e

SHA256
903c4509a4311033e139a7b15581a169e47f71fd9ed5100e31a7a434beb0e1b3

SHA512
51fe523bcf044b2a10a83a859d74dff89b2c904d72460ef107f6a591018ff7548353c1837cdb927c521e7e9e2bbb77494152acfaf694e648607618bb49fca345

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4bd639cdf66037b77a76c03f5277c358

SHA1
413ffa8649854e6782081adb82af0e56db39d3b5

SHA256
d5336f8fc70827d5f58aa8db0ad94eb82e9c9edce025c164d34439b4446e20c3

SHA512
a61654d948fca482f3e2caeae17c826c5b40d72bd4b3b388887806ff47c3f06bf0a0a04ee52db2579ac63f835313cf2f639d61cbee3bdc5797116ac534cd9217

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
ee742866bd9a0c4aba103421fb8fed62

SHA1
5f0f56734c946184782e494b00bf44c867bc2892

SHA256
5e51704c113e3d36d6ca6d8b6cab679532b7ed0830018688b6053f9aa54490e7

SHA512
c2696e67e7612a75d1fbc82593a26c7541e8f24998f62c35fefb83f4f5f95a820f1858ae15c419d891a0e77001f6749ea0ce09380265f82264111fb1f3f01828

Download Submit
memory/468-7-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/468-0-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/468-132-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/468-131-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/468-73-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/468-5-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/468-9-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/512-422-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/556-714-0x0000000001900000-0x000000000190E000-memory.dmp

Filesize
56KB

Download
memory/556-715-0x0000000001940000-0x000000000194C000-memory.dmp

Filesize
48KB

Download
memory/556-710-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/556-717-0x0000000001960000-0x0000000001976000-memory.dmp

Filesize
88KB

Download
memory/556-716-0x000000001ACE0000-0x000000001AD28000-memory.dmp

Filesize
288KB

Download
memory/556-728-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/568-116-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/568-115-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/568-101-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/568-195-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/568-98-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/568-649-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/568-92-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/824-493-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/824-470-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/832-640-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/924-60-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/924-65-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/924-59-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/924-164-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/936-165-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/936-304-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/1040-637-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1048-366-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1048-346-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1076-565-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1100-626-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1104-700-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-713-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1132-347-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1132-332-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1344-488-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1344-510-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1348-737-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/1348-732-0x0000000001880000-0x000000000188E000-memory.dmp

Filesize
56KB

Download
memory/1348-734-0x0000000001A60000-0x0000000001AA8000-memory.dmp

Filesize
288KB

Download
memory/1348-748-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1348-733-0x00000000018A0000-0x00000000018AC000-memory.dmp

Filesize
48KB

Download
memory/1348-735-0x0000000001AB0000-0x0000000001AC6000-memory.dmp

Filesize
88KB

Download
memory/1348-738-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/1568-383-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1568-363-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1584-247-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1584-147-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1648-100-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/1648-14-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1648-20-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/1648-21-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1736-157-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1736-161-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1876-82-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1876-74-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1876-174-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1876-75-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1940-514-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1940-498-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2012-440-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2012-474-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2056-106-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2056-105-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2056-568-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2056-198-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2056-112-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2236-262-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2236-205-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2244-187-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2244-210-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-760-0x0000000001A40000-0x0000000001A5A000-memory.dmp

Filesize
104KB

Download
memory/2280-761-0x000000001AD90000-0x000000001ADAE000-memory.dmp

Filesize
120KB

Download
memory/2280-757-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-758-0x0000000000E40000-0x0000000000E58000-memory.dmp

Filesize
96KB

Download
memory/2280-759-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/2292-119-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2292-127-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2292-222-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2356-541-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2368-615-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2508-542-0x0000000003CD0000-0x0000000003D8A000-memory.dmp

Filesize
744KB

Download
memory/2508-546-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2508-538-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-46-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2544-83-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2564-435-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2644-407-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2688-689-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2720-27-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2720-135-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2744-334-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2744-308-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2772-38-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2772-30-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2772-31-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2772-58-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2876-591-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2876-603-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2896-434-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2896-446-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2904-572-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2904-563-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2912-701-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2912-686-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2924-278-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2924-312-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2960-590-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download