blustealer | b445018afa2dee3bda17e65e52a7a3c143b0ae31abd00d26f58a4fa3319dd523

Analysis

max time kernel
78s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent-Order.exe
Size

1.4MB
MD5

1dab5e05ac3651db47b6f881dab8dd3e
SHA1

66c37ab30dc83b3519815b2406cc6dd332e4d91b
SHA256

b445018afa2dee3bda17e65e52a7a3c143b0ae31abd00d26f58a4fa3319dd523
SHA512

dd31a50b54385b3c1917e6eb17e7970c2fd97ec481c297865d7f37c7f2ea137ed8b60a131e7de5a7eee2278f5d26951c9da0be4e2babb00582993fb1cf8b4472
SSDEEP

24576:t9j0kMtM5Gcc59B40fuI3At9NzS1f8iGiEKjOWVQbHnERMJaICUQqi+4P8mHMC9i:7MOqu0fpAt9NzAEi7XxsERNB5PRsYo

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 10 IoCs

pid	Process
460	Process not Found
820	alg.exe
1520	aspnet_state.exe
1876	mscorsvw.exe
1740	mscorsvw.exe
1628	mscorsvw.exe
1584	mscorsvw.exe
1580	dllhost.exe
1712	ehRecvr.exe
608	ehsched.exe

Loads dropped DLL 5 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\34faa66ea5fe7035.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Urgent-Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Urgent-Order.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 528	1048	Urgent-Order.exe	29

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Urgent-Order.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Urgent-Order.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	Urgent-Order.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Urgent-Order.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A0D6F56A-FDB0-4077-9B76-CBD7A0D43A0E}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	Urgent-Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Urgent-Order.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Urgent-Order.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	Urgent-Order.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Urgent-Order.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A0D6F56A-FDB0-4077-9B76-CBD7A0D43A0E}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1048	Urgent-Order.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	Urgent-Order.exe
Token: SeTakeOwnershipPrivilege	528	Urgent-Order.exe
Token: SeShutdownPrivilege	1628	mscorsvw.exe
Token: SeShutdownPrivilege	1584	mscorsvw.exe
Token: SeShutdownPrivilege	1628	mscorsvw.exe
Token: SeShutdownPrivilege	1584	mscorsvw.exe
Token: SeShutdownPrivilege	1584	mscorsvw.exe
Token: SeShutdownPrivilege	1584	mscorsvw.exe
Token: SeShutdownPrivilege	1628	mscorsvw.exe
Token: SeShutdownPrivilege	1628	mscorsvw.exe
Token: 33	1136	EhTray.exe
Token: SeIncBasePriorityPrivilege	1136	EhTray.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 268	1048	Urgent-Order.exe	28
PID 1048 wrote to memory of 268	1048	Urgent-Order.exe	28
PID 1048 wrote to memory of 268	1048	Urgent-Order.exe	28
PID 1048 wrote to memory of 268	1048	Urgent-Order.exe	28
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29
PID 1048 wrote to memory of 528	1048	Urgent-Order.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:528

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1876

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1580

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1712

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:608

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:988

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:1772

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:1556

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1304

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2224

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2348

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2388

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2572

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:2652

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2840

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3016

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2176

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2336
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:2400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
047a255c2f0928089c22da9fdf0812b2

SHA1
6d8b2db4b00cb59151fa5d760a366db08088b413

SHA256
e78563f30c053d8ed215b0758e2e021c26c853c84c016c04fcbeac263945a661

SHA512
ce5abefc1740d5763167a91ea6943c97d9f34b3d1871431a9650bd5d51258bbe05a09db39cc9d40ec83655f7bd90b0eec553fb3c99d8626f4475856b0d708af8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b7c6f32e5725d2d1a266bbd2de53f6ce

SHA1
4e857242f268a4480a8d1540b776f7e7a579bb6b

SHA256
c2d7f3c9611dd1012045bbfdb461a9c57a79eebe77811767aad8b781ae122618

SHA512
9ef3e3bdfff570ffa58f8ad444b6f6e553e73a413028dfd0ca411d1108551dd6957a1327e146db586be57c9b40a15a82d6ee701f073a87c437d98a7e40407417

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3daf6823049444b37f373ac43f303e3b

SHA1
3135722ae860a9dc974628c4336811b1c7213c0e

SHA256
a393f8a18b72d3f111e88f709565b3a1da5b969afa52a20e040ed46599410056

SHA512
0c9b0eed42df7df766e8c19a44df06c411c7f413ff822883a362a78b58f3eae68cb74e3a141a2c6539d90b53a03945cdd397146b568f52fd63f9900164fa3719

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f5ba78bfc9b6f6d3bd3e58dead9137a7

SHA1
a59c0e540bc8d19a8be2881cb1a2c579e7221d52

SHA256
20a3d1233f77f4bf8cfb094ea00000965522142f0baac2f3ff61043dff470800

SHA512
5d2c12b11303b9a6352dd4d27cb19330e06619a737fe199dd7a84766d70f8a83d2a712ced0d53bf57211a96066ccadcc3834bc3d0c0426f4b2bcd73fd8a91974

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
accff551aaf6c4767d552a66ce2cd783

SHA1
dae7943c638f52b6dbed453bfb42681fe0d90d12

SHA256
40b30f896b47e5b7092e9e8e6afaab83444d1021d55fbcfdabec5fb3b6a0a509

SHA512
9535031a514b8c925b26befbbacde569690ea827c3f451a1ddf72d02ccc73698b7c94918de2660774d63c0c66f3374393523e84332c1136d4737ae128a1bc807

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
942796ce88626281552d08997d082865

SHA1
737d6fddfd8f218ed19c7d8c035752b3594ad795

SHA256
7ce7b5de68c42c59f7764943aa09383bbdc5d248327cc3cbffba29602db0d617

SHA512
7f9f8fba3a254046f3732c342797b112b1cb6499fd65cab48b89d6eda0d247ff0b621a9e5c7c80c77bbe389859987549146b4c258a9adb509436d632f0d1009a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
80b878b71b411b285250f5d77e03ded8

SHA1
793a99e4843cf613d5b176c34ad2d0e74b2d26ba

SHA256
bf483d543349eacdfdf8988dfd6d08adf9ea017965f9e0d757e783c1bd868d1c

SHA512
25f311fd427092639ecabc1b30da7b51c7fe9c60cfcfda01dda917c0aee48f0ac6cd6879dc8f9e8ec9422666c8c72681a1815961d651d2d272258a8b3c56c17e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
bc4ab016b6f90267385dc8d649b52d6a

SHA1
24c0fc7152e8135e1cb6c87d60b2e52db161f5e6

SHA256
4de7d043d864fc83d2b8c34bd5e965e1689fac853375a36ff712af92e77bd081

SHA512
448b9a0ae00cff7bb07253e8a437a3661584c2bc656d6d0bc940d0bad7694a8848c3ebf28e1e0f74aa8e17d344013746059a1303a747a16494c58d51a49e5387

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
bc4ab016b6f90267385dc8d649b52d6a

SHA1
24c0fc7152e8135e1cb6c87d60b2e52db161f5e6

SHA256
4de7d043d864fc83d2b8c34bd5e965e1689fac853375a36ff712af92e77bd081

SHA512
448b9a0ae00cff7bb07253e8a437a3661584c2bc656d6d0bc940d0bad7694a8848c3ebf28e1e0f74aa8e17d344013746059a1303a747a16494c58d51a49e5387

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
7dbaa15ec6180248a3524e9283e4940b

SHA1
60b5a1ba93ff3121e35fce31db67846ad945d935

SHA256
b81231225b30fddde6bc6e29a8b47558cce084d4e1e8a69dddfd0676c3932e8a

SHA512
5491d03044d96f591216c98fcbf53a44d03db3e96089a93d4077a9e63b94c11453bdc57207c18c213bed8fcee04064e045a8cfc72700e5b1659587fed0fa0c50

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
cf9d7a94e6ff839e38a3666f474d75d9

SHA1
697e86c994eaeb351c7dfc47be02ba5caf04d6a8

SHA256
e8f92a5b43d8ac7513aeb998ff7261db38f4c2b732c91872c73bc9d6d5694aee

SHA512
d4b07d48b7d1998172851b22344a0dbbe4abd645d97b861173c861b707d69378545a7a1741687784e1fac6df9bb9a7ac6f597724468e311730e35f5e320eafd4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a78ab8fa9999ae5007927593805c3ce7

SHA1
3b1f4f1ef4cd455f5501bba1e5d9f7a52b826675

SHA256
08527728d9f519463af7510b8f265580d77c482d4937f2534108fa0271994d86

SHA512
2f19666f01f54e7fcc9b1d490ad24b5651a33a992d44e20f3c396fb0ba2465c8149e0c182b1ee1d78c020807dc85421130ec90b9a0c41c9ef9757105647ef8c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a78ab8fa9999ae5007927593805c3ce7

SHA1
3b1f4f1ef4cd455f5501bba1e5d9f7a52b826675

SHA256
08527728d9f519463af7510b8f265580d77c482d4937f2534108fa0271994d86

SHA512
2f19666f01f54e7fcc9b1d490ad24b5651a33a992d44e20f3c396fb0ba2465c8149e0c182b1ee1d78c020807dc85421130ec90b9a0c41c9ef9757105647ef8c1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
837beaa8ab17f596d1adeb84bc9a70a0

SHA1
68dc86748f2cecde581c2e73106625f0640e3f57

SHA256
b88ebba0fbe7714e5fae60530785455bcb5c949e9278531e9385f31ee3bf5e0d

SHA512
bde59dd6fe1e13dd018e02aa97318a1da483ecae0b0aa09d5244298eaf6144c88df6db2cb9aac889c0bc0c31cfc33153a9c7cfeca5848649332de1d2ad6b1a25

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
837beaa8ab17f596d1adeb84bc9a70a0

SHA1
68dc86748f2cecde581c2e73106625f0640e3f57

SHA256
b88ebba0fbe7714e5fae60530785455bcb5c949e9278531e9385f31ee3bf5e0d

SHA512
bde59dd6fe1e13dd018e02aa97318a1da483ecae0b0aa09d5244298eaf6144c88df6db2cb9aac889c0bc0c31cfc33153a9c7cfeca5848649332de1d2ad6b1a25

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
de45eb5563c9f4bf75552d86ba88577c

SHA1
88ed80e199e9e9632b997cf1d010160e7bdd8513

SHA256
e621f21b5c300cbe38913bdf6dc21e13ac085bb0b1de778220549701ea1b380a

SHA512
720ff50dce7037df7b78fa99823520e33a8056cee2bd0c5abd83e0951b6ce80241147126997463da5f00aa9f6b9684460baf79f19e260174d70e67ebfd275ff9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b2efe4ab3bdf7ca5336667162cfafe37

SHA1
afd422f7dff2f45095750707010b63bd542c133e

SHA256
a30ff663aa86a11c9242fc5df5fbcfdcc7fd4d124717c2003e68174abf585bca

SHA512
f62ee46269cec6177b242946e9ba44f5b440e20db4ce0165d4b9defbb158b5004f3df26be5e54e5eda5f412acb7797fe0bac7c50c0d05e1655d538824ec95bee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b2efe4ab3bdf7ca5336667162cfafe37

SHA1
afd422f7dff2f45095750707010b63bd542c133e

SHA256
a30ff663aa86a11c9242fc5df5fbcfdcc7fd4d124717c2003e68174abf585bca

SHA512
f62ee46269cec6177b242946e9ba44f5b440e20db4ce0165d4b9defbb158b5004f3df26be5e54e5eda5f412acb7797fe0bac7c50c0d05e1655d538824ec95bee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b2efe4ab3bdf7ca5336667162cfafe37

SHA1
afd422f7dff2f45095750707010b63bd542c133e

SHA256
a30ff663aa86a11c9242fc5df5fbcfdcc7fd4d124717c2003e68174abf585bca

SHA512
f62ee46269cec6177b242946e9ba44f5b440e20db4ce0165d4b9defbb158b5004f3df26be5e54e5eda5f412acb7797fe0bac7c50c0d05e1655d538824ec95bee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b2efe4ab3bdf7ca5336667162cfafe37

SHA1
afd422f7dff2f45095750707010b63bd542c133e

SHA256
a30ff663aa86a11c9242fc5df5fbcfdcc7fd4d124717c2003e68174abf585bca

SHA512
f62ee46269cec6177b242946e9ba44f5b440e20db4ce0165d4b9defbb158b5004f3df26be5e54e5eda5f412acb7797fe0bac7c50c0d05e1655d538824ec95bee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b2efe4ab3bdf7ca5336667162cfafe37

SHA1
afd422f7dff2f45095750707010b63bd542c133e

SHA256
a30ff663aa86a11c9242fc5df5fbcfdcc7fd4d124717c2003e68174abf585bca

SHA512
f62ee46269cec6177b242946e9ba44f5b440e20db4ce0165d4b9defbb158b5004f3df26be5e54e5eda5f412acb7797fe0bac7c50c0d05e1655d538824ec95bee

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f48132e2d7a077af85a2c3b20ed2f838

SHA1
3aa5fe685489d5a5812b1367739a3dde6393f181

SHA256
2c2f9a83936e573b363b9441afbe58cb04614d71acf292d4d9b729fab28aadd9

SHA512
7883cfaca3fde4572dfc3065857a14a6872206beca9e949cb6cdba080c30217f2114d4a4b4b606e95cd1d849992367f07e8ecb7a1a06ab2f8c8afe7065c0834d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
60e18d73e1a859b43a92fdcddbf4357a

SHA1
d3d8c9de492c2f8ecd2e9cb62c50022abab29f30

SHA256
b3531fe598f121ec3c1c5bfba0dccbf11424b9c6c2f3c7f56011b1848fa71bac

SHA512
3513896c9e300f7dc436ec0b3c0fbcb0c6cc4cb2fdd5080421e5ca1222314a1b2ee82bea04449b86b72672501b0c65e83dcc1ac79b7f9114add5b70d0050cda6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
6466bfc7759742dc6a5d00da6f8a8be1

SHA1
4f31f57942fd956a0cff09271964b6d3d39acbf5

SHA256
6f1d11af818fb3b082bfdcd7a2fc7c0b37da66f997a64c863c94c7ec177cc93c

SHA512
1a10f66f130e4aff4a894ab164db2a5a7ca524f9e5c81d0bc3febacaa1a067108cf531944bba28bd6a88f00c2072c90f681555822365d016058d509d5fb6f471

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
c488dcec8c5e8d1649296810ec814f78

SHA1
6a37c2eeeda717b5b7c9582dc4b52c6450240e21

SHA256
e9f771c0e813f7f55c4f88ee2cd8c34d08cc46bf22a7b6cbb457bc83c57b9f61

SHA512
34e4b5648f9fbb6eeee6e93b8b9ab98cff5fa21c13132dc4b6dec6bdf98188a7675f0dcb99877fbb043b2adb25b9ea441114703d9855a5c95de958b6cac80db4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d42436f15ee77f00a1535f27c90dd4ef

SHA1
f862b59bb0eeb03931428e3e20b0a105cd36947f

SHA256
d3b676b0f4b9124b9807243829922a31324af7681766d23b1dd26a1619486346

SHA512
c44cc453af72103ceb041ec953054176aadbaf3fa83a498640b4e7bc49199a64f69fe51691e7685bdc8b16428177caa13e64659c7241309ab97e28768d349656

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
89a6530122d18fb8b3b2de2fe718a41e

SHA1
0961a6929935f2ef4a5e69cd2786337cbee269aa

SHA256
d9d724028fcb45a9c9c7408634ae42100e366f29f643bfc9a1418f5d33899a48

SHA512
66dff128261ec2a86a3e396b0980b0469a20b7a324cc01bb0573806cc4639a878258983e7de8c18a22d90e3cd5f0e64a06d2b82aad5a649e8d3cb2dd03297916

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
6d4bdf8c20ab7f1d72e81cb07f2a4fbc

SHA1
7feca902d35dd0481c470eafabeacc97af1bac6d

SHA256
aaf8f7e1127f60e24628ee78205f90eb5453a52c4c4b03b4ab1e091b9c581aed

SHA512
1427869e87390fab22e90d3f608e686d72d4814984b0d33daa15b2f223ac76e6823b1a215a6f05e3f48954bb98f1ad99184005c217473d8243d44c2a33343c00

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c7dbf1e90b5e35bceb5aa29b7de01de1

SHA1
601a91f58ec38cbdab0e5f47c868ef6d5f1cdafd

SHA256
380062d0b5df9434e1bfe19a927ff5134f2a96521243c1396edb2683ed572e38

SHA512
bb0aa1346c61e9f06b9d520595ad53b228030a08f2305566928b5dfe0089693178940a9ec56270da3d8ec06f0df126311235a926dd5bbb2045dab3d9d7e27978

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
44e3926a223d77785ef202dfa62ab71f

SHA1
19e03bbb2378f32e23fa3a6eda1085732ede375e

SHA256
794c02cfa97bc8bb2b1ef06090532ce43f24f77d24209731ae1c05f32bb34753

SHA512
2a9f200b9bf17fad41510851e09126bfa04c83e42d8013335f778a9ff810a6baa788434f26db0a5067fa8d428b00b49885b3ac9d553b56d052b8d4d893325ae2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
156b4afe5b998a97e82410a08c528c2d

SHA1
cfface9fc77cdc3e3dabf818aa67ddea51a60571

SHA256
6b3f21d44a771c7223b9d87f8c8d12a669d212d77b3c0d118568608e003ae5f7

SHA512
dcb5c2d39ee805cfac463881339086f2fd57d86400a366a9eac7a064e0dfcce2d323ee239f521ef82730cf5d43cd0a93b51f070aa07002ecf1efd07f1c18b627

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
27bcf32454b214e22f92fab8077ae1c2

SHA1
3753703322387c6e7ce606e72d88ff2ec112b96a

SHA256
ff430fb2b00e3d3ca62a00fa71c3f862a2bb0b65517ee35fe3d24bdc17478f74

SHA512
0c6672e8245698acbba728742ab6d32146f745138374c928173710a7a0e2749f43073de33dfabda3523c1503887720082fd026e8fefed9578c8f8ef28558ebb7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
08921fc74c217f28ae4136481f531630

SHA1
ac8c36e188e75f6845a0ebc0461ebf5695fb1010

SHA256
59a9a220d8bceb75f1f8fb0930123c8c9440a847cdc3adddb280f27666c107ec

SHA512
d769783d59d3aadac2bcdcfd879f4cd5ba24b0327a6dc64e309f1059c36c51016013cc842632aec0cab55882b8b865a4f8a3064cb9ac04cfe6092077f6001c38

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
cfaa115b5388f7af69890fd751f216c9

SHA1
64398d2cd668111958ec66d357c95971e031cf69

SHA256
f385c0736c298adb1424c4db03980a0ca9b84cd239fa9170a259046eb1ab1340

SHA512
991598303476987a96d5e809c05746e499502b65bf0ac1991c408540b37f232d8071b9adb83d077e7bddc04440b22ef4890889c27fe2d7e5df8d7471bc833c01

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
66a7b0dc1ec8a3badb099ad54271451b

SHA1
6c41b6d1ea4f02b4d87e38d79ed7e5b26c7b7b64

SHA256
f8c05461361ac6f3acc3974065db6ddf859a369bd35707e7d96da76abeac3a7f

SHA512
598f3bbe4e9489e0aa30fd29cf0ed6a07094df50ff9ef4ea517f2715becdda5d3f4e7af73ad5eb2ffd78a06a6c2c57ad3f469278dd3afb4fe13a6f77bc8237c4

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
aa204ca9f5016f0c3487594a03173ab9

SHA1
cfd77f27c6b8b26e555eac1c54c35dccb1853a34

SHA256
0e1a2d5ba1162029dda47c917ce4b3f8690f6db0373a36e0324c0f3e7756dd87

SHA512
706c8fb353a2b395af1f07c9cff5a634b942e102c57c2d81493b571a1a3080948aca997312dfa017314fad6cd264038dadccd947148df64b3844d3e18e0fd755

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
44e3926a223d77785ef202dfa62ab71f

SHA1
19e03bbb2378f32e23fa3a6eda1085732ede375e

SHA256
794c02cfa97bc8bb2b1ef06090532ce43f24f77d24209731ae1c05f32bb34753

SHA512
2a9f200b9bf17fad41510851e09126bfa04c83e42d8013335f778a9ff810a6baa788434f26db0a5067fa8d428b00b49885b3ac9d553b56d052b8d4d893325ae2

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
942796ce88626281552d08997d082865

SHA1
737d6fddfd8f218ed19c7d8c035752b3594ad795

SHA256
7ce7b5de68c42c59f7764943aa09383bbdc5d248327cc3cbffba29602db0d617

SHA512
7f9f8fba3a254046f3732c342797b112b1cb6499fd65cab48b89d6eda0d247ff0b621a9e5c7c80c77bbe389859987549146b4c258a9adb509436d632f0d1009a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
942796ce88626281552d08997d082865

SHA1
737d6fddfd8f218ed19c7d8c035752b3594ad795

SHA256
7ce7b5de68c42c59f7764943aa09383bbdc5d248327cc3cbffba29602db0d617

SHA512
7f9f8fba3a254046f3732c342797b112b1cb6499fd65cab48b89d6eda0d247ff0b621a9e5c7c80c77bbe389859987549146b4c258a9adb509436d632f0d1009a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
bc4ab016b6f90267385dc8d649b52d6a

SHA1
24c0fc7152e8135e1cb6c87d60b2e52db161f5e6

SHA256
4de7d043d864fc83d2b8c34bd5e965e1689fac853375a36ff712af92e77bd081

SHA512
448b9a0ae00cff7bb07253e8a437a3661584c2bc656d6d0bc940d0bad7694a8848c3ebf28e1e0f74aa8e17d344013746059a1303a747a16494c58d51a49e5387

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
cf9d7a94e6ff839e38a3666f474d75d9

SHA1
697e86c994eaeb351c7dfc47be02ba5caf04d6a8

SHA256
e8f92a5b43d8ac7513aeb998ff7261db38f4c2b732c91872c73bc9d6d5694aee

SHA512
d4b07d48b7d1998172851b22344a0dbbe4abd645d97b861173c861b707d69378545a7a1741687784e1fac6df9bb9a7ac6f597724468e311730e35f5e320eafd4

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
60e18d73e1a859b43a92fdcddbf4357a

SHA1
d3d8c9de492c2f8ecd2e9cb62c50022abab29f30

SHA256
b3531fe598f121ec3c1c5bfba0dccbf11424b9c6c2f3c7f56011b1848fa71bac

SHA512
3513896c9e300f7dc436ec0b3c0fbcb0c6cc4cb2fdd5080421e5ca1222314a1b2ee82bea04449b86b72672501b0c65e83dcc1ac79b7f9114add5b70d0050cda6

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d42436f15ee77f00a1535f27c90dd4ef

SHA1
f862b59bb0eeb03931428e3e20b0a105cd36947f

SHA256
d3b676b0f4b9124b9807243829922a31324af7681766d23b1dd26a1619486346

SHA512
c44cc453af72103ceb041ec953054176aadbaf3fa83a498640b4e7bc49199a64f69fe51691e7685bdc8b16428177caa13e64659c7241309ab97e28768d349656

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
89a6530122d18fb8b3b2de2fe718a41e

SHA1
0961a6929935f2ef4a5e69cd2786337cbee269aa

SHA256
d9d724028fcb45a9c9c7408634ae42100e366f29f643bfc9a1418f5d33899a48

SHA512
66dff128261ec2a86a3e396b0980b0469a20b7a324cc01bb0573806cc4639a878258983e7de8c18a22d90e3cd5f0e64a06d2b82aad5a649e8d3cb2dd03297916

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
6d4bdf8c20ab7f1d72e81cb07f2a4fbc

SHA1
7feca902d35dd0481c470eafabeacc97af1bac6d

SHA256
aaf8f7e1127f60e24628ee78205f90eb5453a52c4c4b03b4ab1e091b9c581aed

SHA512
1427869e87390fab22e90d3f608e686d72d4814984b0d33daa15b2f223ac76e6823b1a215a6f05e3f48954bb98f1ad99184005c217473d8243d44c2a33343c00

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c7dbf1e90b5e35bceb5aa29b7de01de1

SHA1
601a91f58ec38cbdab0e5f47c868ef6d5f1cdafd

SHA256
380062d0b5df9434e1bfe19a927ff5134f2a96521243c1396edb2683ed572e38

SHA512
bb0aa1346c61e9f06b9d520595ad53b228030a08f2305566928b5dfe0089693178940a9ec56270da3d8ec06f0df126311235a926dd5bbb2045dab3d9d7e27978

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
44e3926a223d77785ef202dfa62ab71f

SHA1
19e03bbb2378f32e23fa3a6eda1085732ede375e

SHA256
794c02cfa97bc8bb2b1ef06090532ce43f24f77d24209731ae1c05f32bb34753

SHA512
2a9f200b9bf17fad41510851e09126bfa04c83e42d8013335f778a9ff810a6baa788434f26db0a5067fa8d428b00b49885b3ac9d553b56d052b8d4d893325ae2

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
44e3926a223d77785ef202dfa62ab71f

SHA1
19e03bbb2378f32e23fa3a6eda1085732ede375e

SHA256
794c02cfa97bc8bb2b1ef06090532ce43f24f77d24209731ae1c05f32bb34753

SHA512
2a9f200b9bf17fad41510851e09126bfa04c83e42d8013335f778a9ff810a6baa788434f26db0a5067fa8d428b00b49885b3ac9d553b56d052b8d4d893325ae2

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
156b4afe5b998a97e82410a08c528c2d

SHA1
cfface9fc77cdc3e3dabf818aa67ddea51a60571

SHA256
6b3f21d44a771c7223b9d87f8c8d12a669d212d77b3c0d118568608e003ae5f7

SHA512
dcb5c2d39ee805cfac463881339086f2fd57d86400a366a9eac7a064e0dfcce2d323ee239f521ef82730cf5d43cd0a93b51f070aa07002ecf1efd07f1c18b627

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
27bcf32454b214e22f92fab8077ae1c2

SHA1
3753703322387c6e7ce606e72d88ff2ec112b96a

SHA256
ff430fb2b00e3d3ca62a00fa71c3f862a2bb0b65517ee35fe3d24bdc17478f74

SHA512
0c6672e8245698acbba728742ab6d32146f745138374c928173710a7a0e2749f43073de33dfabda3523c1503887720082fd026e8fefed9578c8f8ef28558ebb7

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
08921fc74c217f28ae4136481f531630

SHA1
ac8c36e188e75f6845a0ebc0461ebf5695fb1010

SHA256
59a9a220d8bceb75f1f8fb0930123c8c9440a847cdc3adddb280f27666c107ec

SHA512
d769783d59d3aadac2bcdcfd879f4cd5ba24b0327a6dc64e309f1059c36c51016013cc842632aec0cab55882b8b865a4f8a3064cb9ac04cfe6092077f6001c38

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
cfaa115b5388f7af69890fd751f216c9

SHA1
64398d2cd668111958ec66d357c95971e031cf69

SHA256
f385c0736c298adb1424c4db03980a0ca9b84cd239fa9170a259046eb1ab1340

SHA512
991598303476987a96d5e809c05746e499502b65bf0ac1991c408540b37f232d8071b9adb83d077e7bddc04440b22ef4890889c27fe2d7e5df8d7471bc833c01

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
66a7b0dc1ec8a3badb099ad54271451b

SHA1
6c41b6d1ea4f02b4d87e38d79ed7e5b26c7b7b64

SHA256
f8c05461361ac6f3acc3974065db6ddf859a369bd35707e7d96da76abeac3a7f

SHA512
598f3bbe4e9489e0aa30fd29cf0ed6a07094df50ff9ef4ea517f2715becdda5d3f4e7af73ad5eb2ffd78a06a6c2c57ad3f469278dd3afb4fe13a6f77bc8237c4

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
aa204ca9f5016f0c3487594a03173ab9

SHA1
cfd77f27c6b8b26e555eac1c54c35dccb1853a34

SHA256
0e1a2d5ba1162029dda47c917ce4b3f8690f6db0373a36e0324c0f3e7756dd87

SHA512
706c8fb353a2b395af1f07c9cff5a634b942e102c57c2d81493b571a1a3080948aca997312dfa017314fad6cd264038dadccd947148df64b3844d3e18e0fd755

Download Submit
memory/468-179-0x00000000007E0000-0x0000000000846000-memory.dmp

Filesize
408KB

Download
memory/468-198-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/468-394-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/528-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/528-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-328-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-69-0x0000000000330000-0x0000000000396000-memory.dmp

Filesize
408KB

Download
memory/528-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-74-0x0000000000330000-0x0000000000396000-memory.dmp

Filesize
408KB

Download
memory/528-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/528-75-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/608-152-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/608-645-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/608-367-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/608-161-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/608-164-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/820-80-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/820-86-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/820-100-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/988-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/988-393-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/988-175-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/988-169-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1048-57-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/1048-59-0x00000000054C0000-0x00000000055F8000-memory.dmp

Filesize
1.2MB

Download
memory/1048-58-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1048-56-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1048-54-0x0000000001150000-0x00000000012BC000-memory.dmp

Filesize
1.4MB

Download
memory/1048-55-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/1048-60-0x0000000005A30000-0x0000000005BE0000-memory.dmp

Filesize
1.7MB

Download
memory/1304-227-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1304-407-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1520-101-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1556-574-0x00000000002E0000-0x0000000000360000-memory.dmp

Filesize
512KB

Download
memory/1556-219-0x00000000002E0000-0x0000000000360000-memory.dmp

Filesize
512KB

Download
memory/1556-405-0x00000000002E0000-0x0000000000360000-memory.dmp

Filesize
512KB

Download
memory/1556-381-0x00000000002E0000-0x0000000000360000-memory.dmp

Filesize
512KB

Download
memory/1580-137-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1584-136-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1628-111-0x0000000000B90000-0x0000000000BF6000-memory.dmp

Filesize
408KB

Download
memory/1628-138-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1628-116-0x0000000000B90000-0x0000000000BF6000-memory.dmp

Filesize
408KB

Download
memory/1712-147-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1712-195-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1712-159-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1712-141-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1712-158-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1712-379-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1712-156-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1740-109-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/1772-562-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1772-380-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1772-199-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1876-106-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2012-222-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2080-256-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2156-258-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2156-481-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2156-626-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2176-368-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2176-566-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2208-559-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2208-620-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2224-482-0x00000000006A0000-0x00000000008A9000-memory.dmp

Filesize
2.0MB

Download
memory/2224-262-0x00000000006A0000-0x00000000008A9000-memory.dmp

Filesize
2.0MB

Download
memory/2224-409-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2224-260-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2336-382-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2336-575-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2348-273-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2388-274-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2388-526-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2544-295-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2572-296-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2652-315-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2760-557-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2760-317-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2840-558-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2840-330-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2916-563-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2916-349-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3016-564-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/3016-351-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download