c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8d

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 08:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
Size

1.6MB
MD5

2b45f50ac1c16eefebd59af3e1c25830
SHA1

c667b3d9446f5a553087d6d5b7043d2095788896
SHA256

c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8d
SHA512

ce362b1d6621bce48de5d35e77745c113c55f8ed48b8780cccb7e7c969230861b07b68d9bd0264c8fc754c3dc5bcab7de8c617de43f4424b3ed0c4264d9cd46e
SSDEEP

24576:p3io+rga2kuRW2S1bFkCndDNPcHjlVv4KDfHMc3eyNidU8cKlrU:pyo+rz2Q2S1RJ30Dr4KYcOCidU8cKFU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 60 IoCs

pid	Process
464	Process not Found
2208	alg.exe
2892	aspnet_state.exe
2656	mscorsvw.exe
2672	mscorsvw.exe
2680	mscorsvw.exe
2836	mscorsvw.exe
1464	ehRecvr.exe
2100	ehsched.exe
1812	elevation_service.exe
1748	GROOVE.EXE
1588	maintenanceservice.exe
2452	OSE.EXE
2188	mscorsvw.exe
2148	mscorsvw.exe
1284	mscorsvw.exe
1516	mscorsvw.exe
2044	mscorsvw.exe
3064	mscorsvw.exe
804	mscorsvw.exe
2784	mscorsvw.exe
2760	mscorsvw.exe
1920	mscorsvw.exe
1692	mscorsvw.exe
2396	mscorsvw.exe
1472	mscorsvw.exe
1476	mscorsvw.exe
2304	mscorsvw.exe
1040	mscorsvw.exe
1592	mscorsvw.exe
2432	mscorsvw.exe
2360	mscorsvw.exe
2000	mscorsvw.exe
2024	mscorsvw.exe
2480	mscorsvw.exe
572	mscorsvw.exe
1820	mscorsvw.exe
2756	mscorsvw.exe
2300	mscorsvw.exe
2020	mscorsvw.exe
2268	mscorsvw.exe
1344	mscorsvw.exe
2668	mscorsvw.exe
2740	mscorsvw.exe
2884	mscorsvw.exe
1644	mscorsvw.exe
740	mscorsvw.exe
1332	mscorsvw.exe
2888	mscorsvw.exe
2832	mscorsvw.exe
2252	mscorsvw.exe
1692	mscorsvw.exe
1364	mscorsvw.exe
1136	mscorsvw.exe
1648	mscorsvw.exe
772	mscorsvw.exe
1912	mscorsvw.exe
3008	mscorsvw.exe
2404	mscorsvw.exe
2744	mscorsvw.exe

Loads dropped DLL 22 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2668	mscorsvw.exe
2668	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
740	mscorsvw.exe
740	mscorsvw.exe
2888	mscorsvw.exe
2888	mscorsvw.exe
2252	mscorsvw.exe
2252	mscorsvw.exe
1364	mscorsvw.exe
1364	mscorsvw.exe
1648	mscorsvw.exe
1648	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
2404	mscorsvw.exe
2404	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\549770335f6c6349.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E33.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA303.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAADF.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB6E1.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB193.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1704	ehRec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2268	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: 33	2056	EhTray.exe
Token: SeIncBasePriorityPrivilege	2056	EhTray.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeDebugPrivilege	1704	ehRec.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: 33	2056	EhTray.exe
Token: SeIncBasePriorityPrivilege	2056	EhTray.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeDebugPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2836	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2056	EhTray.exe
2056	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2056	EhTray.exe
2056	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2556	2268	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe	31
PID 2268 wrote to memory of 2556	2268	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe	31
PID 2268 wrote to memory of 2556	2268	c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe	31
PID 2680 wrote to memory of 2188	2680	mscorsvw.exe	46
PID 2680 wrote to memory of 2188	2680	mscorsvw.exe	46
PID 2680 wrote to memory of 2188	2680	mscorsvw.exe	46
PID 2680 wrote to memory of 2188	2680	mscorsvw.exe	46
PID 2680 wrote to memory of 2148	2680	mscorsvw.exe	47
PID 2680 wrote to memory of 2148	2680	mscorsvw.exe	47
PID 2680 wrote to memory of 2148	2680	mscorsvw.exe	47
PID 2680 wrote to memory of 2148	2680	mscorsvw.exe	47
PID 2680 wrote to memory of 1284	2680	mscorsvw.exe	48
PID 2680 wrote to memory of 1284	2680	mscorsvw.exe	48
PID 2680 wrote to memory of 1284	2680	mscorsvw.exe	48
PID 2680 wrote to memory of 1284	2680	mscorsvw.exe	48
PID 2680 wrote to memory of 1516	2680	mscorsvw.exe	49
PID 2680 wrote to memory of 1516	2680	mscorsvw.exe	49
PID 2680 wrote to memory of 1516	2680	mscorsvw.exe	49
PID 2680 wrote to memory of 1516	2680	mscorsvw.exe	49
PID 2680 wrote to memory of 2044	2680	mscorsvw.exe	50
PID 2680 wrote to memory of 2044	2680	mscorsvw.exe	50
PID 2680 wrote to memory of 2044	2680	mscorsvw.exe	50
PID 2680 wrote to memory of 2044	2680	mscorsvw.exe	50
PID 2680 wrote to memory of 3064	2680	mscorsvw.exe	51
PID 2680 wrote to memory of 3064	2680	mscorsvw.exe	51
PID 2680 wrote to memory of 3064	2680	mscorsvw.exe	51
PID 2680 wrote to memory of 3064	2680	mscorsvw.exe	51
PID 2680 wrote to memory of 804	2680	mscorsvw.exe	52
PID 2680 wrote to memory of 804	2680	mscorsvw.exe	52
PID 2680 wrote to memory of 804	2680	mscorsvw.exe	52
PID 2680 wrote to memory of 804	2680	mscorsvw.exe	52
PID 2680 wrote to memory of 2784	2680	mscorsvw.exe	53
PID 2680 wrote to memory of 2784	2680	mscorsvw.exe	53
PID 2680 wrote to memory of 2784	2680	mscorsvw.exe	53
PID 2680 wrote to memory of 2784	2680	mscorsvw.exe	53
PID 2680 wrote to memory of 2760	2680	mscorsvw.exe	54
PID 2680 wrote to memory of 2760	2680	mscorsvw.exe	54
PID 2680 wrote to memory of 2760	2680	mscorsvw.exe	54
PID 2680 wrote to memory of 2760	2680	mscorsvw.exe	54
PID 2680 wrote to memory of 1920	2680	mscorsvw.exe	55
PID 2680 wrote to memory of 1920	2680	mscorsvw.exe	55
PID 2680 wrote to memory of 1920	2680	mscorsvw.exe	55
PID 2680 wrote to memory of 1920	2680	mscorsvw.exe	55
PID 2680 wrote to memory of 1692	2680	mscorsvw.exe	56
PID 2680 wrote to memory of 1692	2680	mscorsvw.exe	56
PID 2680 wrote to memory of 1692	2680	mscorsvw.exe	56
PID 2680 wrote to memory of 1692	2680	mscorsvw.exe	56
PID 2680 wrote to memory of 2396	2680	mscorsvw.exe	57
PID 2680 wrote to memory of 2396	2680	mscorsvw.exe	57
PID 2680 wrote to memory of 2396	2680	mscorsvw.exe	57
PID 2680 wrote to memory of 2396	2680	mscorsvw.exe	57
PID 2680 wrote to memory of 1472	2680	mscorsvw.exe	58
PID 2680 wrote to memory of 1472	2680	mscorsvw.exe	58
PID 2680 wrote to memory of 1472	2680	mscorsvw.exe	58
PID 2680 wrote to memory of 1472	2680	mscorsvw.exe	58
PID 2680 wrote to memory of 1476	2680	mscorsvw.exe	59
PID 2680 wrote to memory of 1476	2680	mscorsvw.exe	59
PID 2680 wrote to memory of 1476	2680	mscorsvw.exe	59
PID 2680 wrote to memory of 1476	2680	mscorsvw.exe	59
PID 2680 wrote to memory of 2304	2680	mscorsvw.exe	60
PID 2680 wrote to memory of 2304	2680	mscorsvw.exe	60
PID 2680 wrote to memory of 2304	2680	mscorsvw.exe	60
PID 2680 wrote to memory of 2304	2680	mscorsvw.exe	60
PID 2680 wrote to memory of 1040	2680	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
"C:\Users\Admin\AppData\Local\Temp\c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files\Java\jre7\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\c55059945ac3d7b362a3cd60dfa75f1ba6fb551368ada8673181c15df19aed8dN.exe
  2⤵
  PID:2556

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 26c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f0 -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 1f0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 1f0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 260 -NGENProcess 1f0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 28c -NGENProcess 268 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 1f0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 290 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 284 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1c4 -NGENProcess 1f0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2d0 -NGENProcess 2ac -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1c4 -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2bc -NGENProcess 2c0 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e0 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2bc -NGENProcess 2dc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2ac -NGENProcess 2dc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d4 -NGENProcess 300 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ec -NGENProcess 2dc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 308 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e8 -NGENProcess 2dc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 304 -NGENProcess 310 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 2dc -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2dc -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 318 -NGENProcess 310 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2f8 -NGENProcess 320 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 310 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 328 -NGENProcess 320 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1464

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1748

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1588

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
a01a6d3dc4b8a659ed359d462458d91f

SHA1
508529fd01dbb1391daa3f674d18bcd5b5819e64

SHA256
4eee88811c4abcb1596410148673ade8706eda4ac974bffaa49adddd89b06987

SHA512
87cb7dd406ba023c1bbb303849708ff6a298643329ee2d7ca8ce68d37cd2b8bc1aae4fcc2b38358ba6de658599a9b683f359a378bfd9356651de43a28064c7b9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
326185fba30e30a989ce1458aa0c1de1

SHA1
b106a8b1f6b690f9e964397a1af256fc9d81bdc4

SHA256
694fe33c747e1b60f7a401dfbfc2da5bc8edbb1193c9084195e0df21f13ea581

SHA512
5613e8b1d1bdbbca1999fe42c78fa4e396347de0a7c9021287d777ab327457f5628c878f2f1a66632b6b9a420fa4fa5a99e011c336beb9359027ab07825c1f30

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
f5b7aabfeac743f7f55bf4a1b38cca0d

SHA1
01f8f0d15d7319681b5da903df5ad1aeb6585c45

SHA256
e33b9bcc9d1c64e7a632a59dfdc601cc6ebf1d55a9e4fd32c9a510e0287d8ae2

SHA512
1e16587fbb5af8747aedc06ea9e21e62c944259f82a6cebb44e1bc54e3c9f51c898fa0d52071f219694bee53d625d6d620ca69abd71d51926cc0514979458df3

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
e939677e1afb2aa76587381ffca8cbd7

SHA1
48b9ab3ee7439579124b681f7363bd59aadd3cda

SHA256
f348ac7173981b2bcdcd597237be14dcc4f47cbc56831d50875455b906bfa839

SHA512
f55ca723c1a882986b6641571cdfb60a49bd7210441ae92ec05bb1832a375d1dff6db152a5873db755044fce87cb80e15b00560c4c627fb6e419881c3060a342

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
825321e342484acc56eb8cf41d6a3a9d

SHA1
50eaf13bbb751d6631dedde11f7d366a9af0f677

SHA256
ae4536e74ae0627525f32a1ee6a1352947e981022557af2f751547708eb052ad

SHA512
d8315454bd5c2379cbb5b03fca85e955aba389c8d1130841d01516f0dafef7d705a2c4b2da0f70c69715d9715f981436d4372d15c1ea138913e5e59925a94ab6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
f7f5970da4fc950332eec4294fdc5d6b

SHA1
18ca91d1d1cebc108a1456dc7f684958cd325ab5

SHA256
36333843488a6986299a31991cbc9f95a2f22db0a96a10318d00a1aa292a2248

SHA512
f2e7be7d83b81d3a18877f568ec7cf8f8a1160c32d42ebea762ffdb27198248a3ceae92dea4fa4e077d6d7bdc856add528e0b6280dc0635e66adccc6d734d7f5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
bd6669af27917f1da96f663b24480a33

SHA1
c1ee8205c06ede8d7985c59655b30885c300daa3

SHA256
083e399a1721b7a6a3ffca2588b061d71945d4d3ac4b27af960c003e39fb7a82

SHA512
3e461058a7ca4bb05ee7c3268b075c5946ac091da9287399506809570191b8ddf9ecdacff9b94078b23e0e1afe8cb79733759d0853246793f70f8a31f80016ac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0fa3def6a96c90dcb5608ac5849635d5

SHA1
aba2e694cf1fcee8a6b13fcd0c3ccc5d15db1c92

SHA256
9a8f3bd15007038f4d8ff67f9bb110333dcab411b56de7599578d7c9801c80ae

SHA512
a511d4f4de6b85213663c78ee22425cdbf17eb0fd2bc47d97151e667ee13f074846795038b42baf0c19723088d56271ca481295a465dfa9dc0f21febb940b770

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
31914adb275a633de101de946f8ccc05

SHA1
3bf74571a5a84e5f45c1a599bcc94405bd5b53ff

SHA256
d5b924a8b1a5ea2551b4b457a689f6d3e701c42e6bd12571386dd2c60165f38b

SHA512
50b48ba849b69c23f5e95a0c88ca15e25859687dd0220897c09edc65ce01e19e80afdd46a708c4eba97fad120c367b4b9ba2e842fc952fa8fff068df0922212c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d55e01f130cd7a81a421bc7dc0956972

SHA1
32bc4649757ebf0110b60d5e53200cdd29d7fc16

SHA256
5603e65a44aee01741a2681295b49aae4b6918015361da70a978c9728ef83e25

SHA512
cf40697a3ef82304fae9c18e944cc5b00bb483d0dfd6b91305dab21ee6fcea3bf75591e0026b593cdaa6b6e814573b060a47518d2ca435ce38235733c2db5387

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
8354a2ae8066eb82fa762ec063f3b9e2

SHA1
261d038ab3820dfe83cbd91676f42bc11e61e847

SHA256
c8634793f0f9c37288f0638a98c1ec04c7e9696f1641f605ddcb34885c677ff2

SHA512
54d22563928815f526a6409f0b6990f43fbe41769c8d757fe1cac4cd1f35d2c6f6e078dc6c0e080e21fe4b29be32a7d2bfb34a319b8a2ccc13d8cc649c6a6424

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
7862306b758f3f2fc3e69f6b5495a8c3

SHA1
d353308be1c2dbb77fe7aed9eeb550791c6f33cf

SHA256
4e61ebd86925ab2c35c5dbfa214c8c0b001d7f017bc0d27a8f93bafda924c88a

SHA512
28e0c608c92fbdc7b6f09c20df949ed7523c985e440a28ab120c226445a2edf0bca524be22a688d9b2f84d843641da4e27b4053cfcd04d409129a79da0b499b8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
920f20ed5a3afd773f011c374d8199f7

SHA1
7350cbe5858621cf14c904ced9db4e2e9c73e411

SHA256
1f3d51e470bf9ac740b427630091fdbe312c04b5b442a018f9dcc92fc201c644

SHA512
a63eafe5df62b9d34d8e8aa4b303412cb051ceb1ef9a54c972f08768699ad6edfc9589a2b518cc42b09db194126105d771178add4641950d719533ef0d5e0fb8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
a8e169890acb0b1fd8fe22cac226e93b

SHA1
8f4496afe30d132678a31ec6029a8b657c84108d

SHA256
965bee30f8905d108ca0383458761cc3f379df09c31b964b7b8d8cd833b55c8c

SHA512
cef08f337dd02a98b47c5e99e5aecaef328c435e8ac8b322f2830a0f2d27d06a1319e758672333c5a214d73a42e3a3d4390db5673463044dc2e5bd04d0a95dda

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
32c8e140ba19162d94d5f77935e928e5

SHA1
301f9cc01530fe8848d17d8dd7392bd4fc43e22d

SHA256
51147971c20ca3a63af79a6410be4b16c206a044bc13c5986b9a6d8edc2a843a

SHA512
7284d77e19683fbf9a2f630283a02501335374c168958a641238cca1cfb7bde1f3f91450c0aba1eff4acd3de7dfeb77ed0ff1da8800d5d1a1a146655c892a3b6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
059d1ec7cc68a518f64a33ae3c00e09e

SHA1
cdbcd3ca1590abb2439bc093bfad917a254e9d42

SHA256
45cfa56ca12a8385b7998650191640914186c28395663d983560cfb8c9013519

SHA512
08605a6f7b1f6f49726186b12c85fd8ae907a112bc5e45f581b434d71169d19aead619ee659ea37bf2c0e1be98314413b5e1862af862f36024d07b52912e32a9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
99ef2eb8b7f02db2c9f0caff1c13b532

SHA1
9ef4a47be1c401b4b2060a2c99cccf4f1e9fc7cb

SHA256
e20d83043a62b316a008ff9e3d9e6413ebd2babd7cca427197f3c29fc81e66dd

SHA512
a848f059a44878f827bd1325a9a0c9df1723d1dabea4762aae80730de47e5c49571e8f9c123d4cd1b835373a78f082fb72a09ed42bddbe1868fa316a8c039c6e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a96508cafbcd8bbfead4ae67fc657223

SHA1
69a85187215c82f42cde58152d0a0a4f12628fca

SHA256
a7c7b612716f755e43d82975d5ebd1c810172e30a14086b49fab749fc9c442b1

SHA512
e667f42883fe78b9ef57d9a0526cf6b4f85db1c5da6dce43fe060c53a637e8f1171e4fa6dbf167ca7e521ecf18c1b3fc2ea75e1ed560f3ccc7aa457f1336ed1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
823737722f8bd1f979186d15b4951e1b

SHA1
ab272c5172c861dd9d72fd01e68681fb86ccd8db

SHA256
5c5227d860f8be2d11425cac93fb17e7951071e063880f7628989525d11a6ebd

SHA512
8da99e1f399517bf218c042e1bff99c4dfa7c601496114d7ebb1f151ad18a166f05676aec3e05602f889d6a610379293d54a8a7ce2653660f8b24f6e0d773862

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
8cf5a6ba6bc4fca3b081558699951415

SHA1
189f73b380ac043f7bbbd51be48d29d5ada43aae

SHA256
d037bc606fef2f21737cdc697593a0d84c6b0cd2c967e82affc14a3aaa7ddb40

SHA512
0d5c8a2f8467d9bc88340d4191ca019009355c4516f4670d52dd9b7bc0ac1ea99e2a1eb319b1e8a30776f22c516f7c17863f3b1a7db60e77e5420a09a0cd34e2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
6cbabe17996e913c33034d5d574f35c0

SHA1
53bef820a4909ce594debe908d4e40a561bac32d

SHA256
9e319b6b81cb36bd6ed2aac384716d6f763f0c2ab46a5c308fc133a459089d21

SHA512
c49ce19e7a778ed0f3674ce1b20aba5c795e08ac445b9c28f5737d8a206c20238fef096c1f6c3f77828fea0027281524948476ccf136d14c793c736412896a4e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0a31f78003f53d23166e9d6a05335fc2

SHA1
bd6cf3843aa87fa0208291eb99815ee568cfe62f

SHA256
987954f6daca4d2bfe1e947a0db3ace4d8432430a8c1860fcb76a8fef070b0ae

SHA512
afbe75f4095fbe437090abe91d0adfc9a6038c8fadafc2be67a8468913398d01302f52a11ac2f5f04dec1b188a90ae393f98e8f10b4b50e8ef1654e9ff66ec14

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
226f60e34daba06c1427b31b058c5cdd

SHA1
ca19dc467b6325de2c3bb150365fed87ae8e371d

SHA256
9886b70fdf6a8b7efbbfc0452d1048e9f879944c7f0b6ff24acfddd363539d58

SHA512
0ffd82e406dcaba07aa3cc94f2c72551d028ae3471b439474e0d51632088e48a676b292cfcb835591fc584bcc425b04b6711efd32987c473b1ed3fe1dbf3a7d4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
2825bd2a60ab3b0ab294bd25706aa48d

SHA1
00dcc7bf32c97bd89115cc0d3f1827095f457949

SHA256
0534eb95833478c02ff6924da15980645d181aff5cb3a75c3c9b626477479062

SHA512
ab8e5ac14e8ff1f6516f49737f489c59d647ec55ee359e5f01be71dc0e073b1e4b6ff288c1e60b0359ea7fb6d361944527607120fec1f479a007a1413f142633

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.2MB

MD5
0ec6e4c733ab7fa914d218c7540eda6a

SHA1
2d573a0b191ba04b1547cea072e78ea10e42c721

SHA256
1a2c1124d86d0060c1d11c1499de7804fd763280fbd6b3b0992cd80f93324cf2

SHA512
631d266ac1c6ccb331bbcd3f728fa5df0ac81fde70add2fa8ee01fb418a2ef0015e01be750c84838a4959718722ddd8aaf7564923ea35729adfc311e992335b7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
fc104abe97067bdf1c63d747ecca4e4d

SHA1
38347c385e430970168643acdb9d95e3e4f0c687

SHA256
55a3c15ecac9c7835d8a98b15672658a10093def1dcd6a8e9c6d4c3cd52e9918

SHA512
42d802cf048b47a55662585331467c447202287583d91216904f9b0288c953104c7074d579aa83977132bac75b30e39366cf67556ce1e61d7b5e65b69e18a76a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
e487437404a4a76f6518a7de463558fe

SHA1
2220bd6ffdd4abfae92fd56b8c14fbe6d13d7c17

SHA256
d42795eae46c3711cb5eb40b6c913397e2861cb0f4159f2b76bd6228fb6d50e6

SHA512
9034dc90f2c0af0ce5c3a01211f5ed28440faf333d9052406a91d9b14cdeccc4403fe2c47de32a911b858aaddd5318083b341a152dce903b4b27ec7b83c89f72

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
681b6004e168cf4089651292009b840d

SHA1
bf9ca8a357958bb5d435d9528fd54134339de28d

SHA256
b95970e2598d39dfc5c0d25fce8a02e115b60aa2b5a788f8585b18c281485d6c

SHA512
d6c147693b080cd1384fc2b348bacd1e2f752e5172b477e12d784d7e86c86947c5bcf3ee7bc5aa299eebb6027394871873c1f6bb90dc1331d3e35b6ae2830258

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
bb3960968e5622de120ac015f677ade5

SHA1
7833f72ce6ba2f7b8a1e17f15a566a7ae556865f

SHA256
bb37c09d1d0f390670cf4d9baf5091d941651511d1f8f21f331e780a60a81f24

SHA512
c17a12e53bbaf08accc134c60a4a92f083b6043a73f18d89317085a3e39704de27c0caf62d2f9c07f919a36565a8d63e150c39203a550ed300a08ab19554a2f4

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
f17f367e4d0c3756863067aa625d32c4

SHA1
2f2e8e5dd5a63f73b00643bea19216c4eab3d903

SHA256
910cd1292dfb46c1d23d2581d38be4a229ae715590698ccfd9f20f72899c0038

SHA512
5762e4fb984b5ef5b944cb864b88de503fe67ee3dff870675bb36f7c3839b56046dd38a41c6d6cfeeeafcb2d56f5b520f2f3f5f71bd9ce04e1fec0b0d139aecd

Download Submit
memory/572-602-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/740-791-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/740-778-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/804-381-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/804-367-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1040-518-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1284-309-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1284-277-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1332-792-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1332-810-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1344-717-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1464-117-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1464-100-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1464-116-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1464-636-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1464-98-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1464-179-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1464-92-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1472-451-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1472-467-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1476-485-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1516-306-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1516-321-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1588-175-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/1588-154-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-530-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1644-779-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1692-426-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1748-146-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1748-245-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1812-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1812-119-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1812-125-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1820-612-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1820-625-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1920-422-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2000-573-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2000-562-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2020-698-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2024-577-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2044-313-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2044-335-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2100-194-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2100-112-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2100-111-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2100-537-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2148-248-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2148-281-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2188-187-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2188-246-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2208-22-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2208-13-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2208-21-0x0000000100000000-0x0000000100138000-memory.dmp

Filesize
1.2MB

Download
memory/2208-104-0x0000000100000000-0x0000000100138000-memory.dmp

Filesize
1.2MB

Download
memory/2268-6-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/2268-0-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/2268-9-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/2268-131-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/2268-703-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2268-132-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/2268-75-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/2300-686-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2304-487-0x0000000003D00000-0x0000000003DBA000-memory.dmp

Filesize
744KB

Download
memory/2304-502-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2360-559-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2396-452-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2432-550-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2452-327-0x000000002E000000-0x000000002E14A000-memory.dmp

Filesize
1.3MB

Download
memory/2452-165-0x000000002E000000-0x000000002E14A000-memory.dmp

Filesize
1.3MB

Download
memory/2480-597-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2656-30-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2656-31-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2656-57-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2656-38-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2668-730-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2672-47-0x0000000010000000-0x000000001013C000-memory.dmp

Filesize
1.2MB

Download
memory/2672-72-0x0000000010000000-0x000000001013C000-memory.dmp

Filesize
1.2MB

Download
memory/2680-670-0x0000000001CB0000-0x0000000001CDA000-memory.dmp

Filesize
168KB

Download
memory/2680-59-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2680-665-0x0000000001CB0000-0x0000000001D9C000-memory.dmp

Filesize
944KB

Download
memory/2680-666-0x0000000001CB0000-0x0000000001CC0000-memory.dmp

Filesize
64KB

Download
memory/2680-667-0x0000000001CB0000-0x0000000001D38000-memory.dmp

Filesize
544KB

Download
memory/2680-668-0x0000000001CB0000-0x0000000001CD4000-memory.dmp

Filesize
144KB

Download
memory/2680-669-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

Filesize
32KB

Download
memory/2680-162-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2680-671-0x0000000001CB0000-0x0000000001D16000-memory.dmp

Filesize
408KB

Download
memory/2680-663-0x0000000001CB0000-0x0000000001D54000-memory.dmp

Filesize
656KB

Download
memory/2680-662-0x0000000001CB0000-0x0000000001D3C000-memory.dmp

Filesize
560KB

Download
memory/2680-661-0x0000000001CB0000-0x0000000001CCA000-memory.dmp

Filesize
104KB

Download
memory/2680-660-0x0000000001CB0000-0x0000000001CCE000-memory.dmp

Filesize
120KB

Download
memory/2680-65-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/2680-659-0x0000000001CB0000-0x0000000001CBA000-memory.dmp

Filesize
40KB

Download
memory/2680-664-0x0000000001F30000-0x00000000020CE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-60-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/2740-746-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2756-629-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2756-622-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2760-396-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2760-406-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2784-386-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2836-83-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2836-77-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2836-76-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2836-164-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2884-768-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2888-809-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2888-827-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2892-27-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2892-142-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3064-366-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download