41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5

Analysis

max time kernel
106s
max time network
149s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
Size

1.8MB
MD5

82017f7ea9fb91714cff3db05782155a
SHA1

2d1bd06543bf1e1a6a8950a1e3fef3cf08ddfc74
SHA256

41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5
SHA512

bb606f9301b1785486373a92ba3ed910766dd5b78187d6ac73d6f1d4e2ae9e245ac9de1a965fd0c2266da3387194102aede9deb552b8d89e69030d3b5fcf4753
SSDEEP

49152:qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAwdUXJFknMUrGFon:qvbjVkjjCAzJjyXjMMUSF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 28 IoCs

pid	Process
464	Process not Found
2480	alg.exe
524	aspnet_state.exe
2376	mscorsvw.exe
804	mscorsvw.exe
1964	mscorsvw.exe
1688	dllhost.exe
2008	ehRecvr.exe
1328	ehsched.exe
1664	elevation_service.exe
1256	IEEtwCollector.exe
2848	GROOVE.EXE
588	maintenanceservice.exe
2028	mscorsvw.exe
2748	msdtc.exe
2872	msiexec.exe
2012	OSE.EXE
1816	mscorsvw.exe
2852	OSPPSVC.EXE
2788	perfhost.exe
1972	locator.exe
320	snmptrap.exe
2632	vds.exe
2528	vssvc.exe
2112	wbengine.exe
2120	WmiApSrv.exe
2404	wmpnetwk.exe
2628	SearchIndexer.exe

Loads dropped DLL 14 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2872	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ac4410b0c30a3ea8.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_ar.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_hu.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_is.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_pt-BR.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT6F38.tmp	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\GoogleUpdateCore.exe	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_de.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_kn.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_et.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_iw.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_id.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_hi.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\GoogleCrashHandler64.exe	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_bn.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_gu.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_sr.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_vi.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\psmachine_64.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_ko.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_fr.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_ro.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_es.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_fil.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_en.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_ru.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\GoogleUpdateBroker.exe	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_es-419.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6F37.tmp\goopdateres_sv.dll	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A464BEE9-43F8-4B27-89C9-D22FC5DA04A4}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A464BEE9-43F8-4B27-89C9-D22FC5DA04A4}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe

Modifies data under HKEY_USERS 33 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2600	ehRec.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2880	41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
Token: SeTakeOwnershipPrivilege	524	aspnet_state.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: 33	1524	EhTray.exe
Token: SeIncBasePriorityPrivilege	1524	EhTray.exe
Token: SeDebugPrivilege	2600	ehRec.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeRestorePrivilege	2872	msiexec.exe
Token: SeTakeOwnershipPrivilege	2872	msiexec.exe
Token: SeSecurityPrivilege	2872	msiexec.exe
Token: 33	1524	EhTray.exe
Token: SeIncBasePriorityPrivilege	1524	EhTray.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeBackupPrivilege	2528	vssvc.exe
Token: SeRestorePrivilege	2528	vssvc.exe
Token: SeAuditPrivilege	2528	vssvc.exe
Token: SeBackupPrivilege	2112	wbengine.exe
Token: SeRestorePrivilege	2112	wbengine.exe
Token: SeSecurityPrivilege	2112	wbengine.exe
Token: SeManageVolumePrivilege	2628	SearchIndexer.exe
Token: 33	2628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2628	SearchIndexer.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1524	EhTray.exe
1524	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1524	EhTray.exe
1524	EhTray.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2972	SearchProtocolHost.exe
2972	SearchProtocolHost.exe
2972	SearchProtocolHost.exe
2972	SearchProtocolHost.exe
2972	SearchProtocolHost.exe
1840	SearchProtocolHost.exe
1840	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2028	1964	mscorsvw.exe	42
PID 1964 wrote to memory of 2028	1964	mscorsvw.exe	42
PID 1964 wrote to memory of 2028	1964	mscorsvw.exe	42
PID 1964 wrote to memory of 1816	1964	mscorsvw.exe	46
PID 1964 wrote to memory of 1816	1964	mscorsvw.exe	46
PID 1964 wrote to memory of 1816	1964	mscorsvw.exe	46
PID 2628 wrote to memory of 2972	2628	SearchIndexer.exe	59
PID 2628 wrote to memory of 2972	2628	SearchIndexer.exe	59
PID 2628 wrote to memory of 2972	2628	SearchIndexer.exe	59
PID 2628 wrote to memory of 2284	2628	SearchIndexer.exe	60
PID 2628 wrote to memory of 2284	2628	SearchIndexer.exe	60
PID 2628 wrote to memory of 2284	2628	SearchIndexer.exe	60
PID 2628 wrote to memory of 1840	2628	SearchIndexer.exe	61
PID 2628 wrote to memory of 1840	2628	SearchIndexer.exe	61
PID 2628 wrote to memory of 1840	2628	SearchIndexer.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe
"C:\Users\Admin\AppData\Local\Temp\41a8db3ff1e6a473c87543dd4bea14e32a32e06911085f693ec78199ce126ba5.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2376

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1688

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2008

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1256

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:588

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2012

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-86725733-3001458681-3405935542-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-86725733-3001458681-3405935542-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2972
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2284
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
66483e74670dff61a595d4e392d1aa35

SHA1
dcdc62052fcb621fcb4d7df84ac97b98a2481d91

SHA256
df63f228902e9e8f1b32b4a021d6926fb176b7de81dc7ccecf2ff8603dcaecff

SHA512
ce575d6bb107d67c9d036e334ffb446c142d4700fd6608c94f96e4aa1e5c6af29243f895a6038c2c395a4cb0b9c362349006a183f91d7bd6c73c432fc1527d92

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
aa4f2681956fee339b4e7bd749fdcead

SHA1
3993726ce82cb46bd9d0f5c548c47e4dfb840dba

SHA256
203a7dc2a003c9a2beddd230b9e198ca95513a5b0e0b4e9f3aa9784569c349e9

SHA512
1ba815ca926ea5cf4f83df57cafbdedb00b632b529d3c980dcb2bb7da96cf752980ec0fe83481fca4113e2873e766821ee61e1d8f56d8b374e1a1a6299155c64

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
ac54b05feb49254d4f701c85d99a114c

SHA1
f1d6addc341dee0d65951d1d1268e1420f8ed142

SHA256
58be07b4163667d90c00c7ad27aca6640b80d6282c90c5694e20ffc3f3273ed5

SHA512
e04cdaf98a94462965d3e6ecb79d3e9ab41d719e86360e7acb6b6f3cfb4faed8fdf7650e38e45ba0657e8794d2096d91c0301f0ba87dc100bb6c53cc92bec039

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
bc4b34146daf1b4255f0a5f2f7bbf7f3

SHA1
f0dcdba0a0f98a62647f3eadf0499a101605b11f

SHA256
41bff65bb8214996715c521e7b0f51388fbfb0c4e675fd9d67e474cbae912488

SHA512
953fc4a15cf5387bbea1a0970d91c7eabcdcfbfcf72320c33db867a417864fa32bad9811bc6d404b29a6b9e3443cd7b1877038ba16028f8fb3b8bc5c69bc84dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
855e210f1b9665bdfdd913ce616bec1d

SHA1
f28d3bd93996187799a637b4387ace78291a5611

SHA256
48f851254b0c27587d918ebed793c7c9be8793acf0f03bd5f112c96f297abaf6

SHA512
1cc51957e9b014ebe9d5c325259a9e4c051c449686138af2a23dec63839f8787c4cfc45c78ab0507634371cae741c50f86ce5872b58d9a2a0d3e5fecc922a124

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5fd63314939528c3097738eaf909a378

SHA1
ef994b719d48a3adfe05382a2f0304b4825b2241

SHA256
f4705273703391e5bb6de1ea5a12809d2f261017484d552b105bca74e59fccac

SHA512
7d86817ff59011d45da1d7ba6dddf040ef82aa5f8eaaab0501e26e6c2701fe78d070b97bde07ca3060b328b41315e7089c605275582315adf4ec663cb32adb06

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
12c996941beb748468b2674cfd764d2e

SHA1
c8a54cca8eade95a28eec3aa8e07dd20b3f8f265

SHA256
f339fea675a9113986dd3988ff1b1b3a8d5dace88fc463606e88dc71484c604e

SHA512
d132f2f49c7eb4f5805bcc29e359ba7926f1c478e99aec08c37208f5faee5e25ce182f3c18c7c1c850ededac43bccfb1938f2b5866b1f1ecf0a0f4514ff1e929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
052b8915fdb1eb4bcb2acc336b18afce

SHA1
d2841cce47fa1d32724694164ce66fa4c0edb86a

SHA256
7bfd9317e1d2d2786565c0eb03f9dc9b9bdf016f768773ad1661d0219dcfe625

SHA512
d83656d138df9787398ee9b0f824f874371dc5b9c58c470f0fa888010b5bf34d10f1c0f69cc9c09289d7b4320eaf19ca481eee6f42ca6413a0bebcba47fb5319

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
052b8915fdb1eb4bcb2acc336b18afce

SHA1
d2841cce47fa1d32724694164ce66fa4c0edb86a

SHA256
7bfd9317e1d2d2786565c0eb03f9dc9b9bdf016f768773ad1661d0219dcfe625

SHA512
d83656d138df9787398ee9b0f824f874371dc5b9c58c470f0fa888010b5bf34d10f1c0f69cc9c09289d7b4320eaf19ca481eee6f42ca6413a0bebcba47fb5319

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3144b5ec314e2d9fbea0effc867ccb03

SHA1
b79f2677291bad22f75cd719c5a8beece1ef9252

SHA256
2d14d4e0f09c2129074b2ba18d922daf841a9c2f040559c9cabf6fe42600a910

SHA512
4f64226f5be7c573d17ff3f3def27e47e1ad4ea18968bb8715e0de656943a3dbe83445655d4a6f8c42e624421bc38d24429f47d758adaabb19b0464630269255

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
afd3471a479ee6593357cd8199f12e2b

SHA1
6ef7c9579afc69c025808b242d3bb2346eb8f545

SHA256
5d00a4132f107ad65ae38b381623e698dd52f9349e2c52de4d4f6b83e4cb4109

SHA512
1f7570d3bad4b69fae7444b9b3ad4a2ad9a9be0312d755f4d50230c113327dc2e038c2951c0874764b1e7b35955fac013d7bb68fe89125baeb3b5b31d061c530

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
9dca15c4b550e40a3addb93c85119d17

SHA1
e2d24f7a8215d0d9c2c7a2ec20707733b49d2234

SHA256
66377b044703ca3fc333436562b8952cb8f37de53dfd8c8dc4cf9f850fa98655

SHA512
a86c305f3402879b10957f0f9722233fd6c7acf8d63a7107844b117745efb662cd55f6ccb296a4ced4e5f7f8b4ebfc3c6ee743120e5626a215cbd35e0be05a4d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
9dca15c4b550e40a3addb93c85119d17

SHA1
e2d24f7a8215d0d9c2c7a2ec20707733b49d2234

SHA256
66377b044703ca3fc333436562b8952cb8f37de53dfd8c8dc4cf9f850fa98655

SHA512
a86c305f3402879b10957f0f9722233fd6c7acf8d63a7107844b117745efb662cd55f6ccb296a4ced4e5f7f8b4ebfc3c6ee743120e5626a215cbd35e0be05a4d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
9dca15c4b550e40a3addb93c85119d17

SHA1
e2d24f7a8215d0d9c2c7a2ec20707733b49d2234

SHA256
66377b044703ca3fc333436562b8952cb8f37de53dfd8c8dc4cf9f850fa98655

SHA512
a86c305f3402879b10957f0f9722233fd6c7acf8d63a7107844b117745efb662cd55f6ccb296a4ced4e5f7f8b4ebfc3c6ee743120e5626a215cbd35e0be05a4d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
9dca15c4b550e40a3addb93c85119d17

SHA1
e2d24f7a8215d0d9c2c7a2ec20707733b49d2234

SHA256
66377b044703ca3fc333436562b8952cb8f37de53dfd8c8dc4cf9f850fa98655

SHA512
a86c305f3402879b10957f0f9722233fd6c7acf8d63a7107844b117745efb662cd55f6ccb296a4ced4e5f7f8b4ebfc3c6ee743120e5626a215cbd35e0be05a4d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
710deac4e01d2dbf445bd09ad38c4c76

SHA1
922063ca4048fb6c57e2cec062943edafcef3247

SHA256
c6300e905071211e34ca9b4330f20e647fef48cd40951d7c0ed46c96813cf260

SHA512
addce865eb0abaa0586be47923776f5abf1d9e4aea3189f7111bf229ee2e9f227778f45a4534302ec2c14006d2ae2862552eaf650f2a554a9e1654fb2699b3e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
710deac4e01d2dbf445bd09ad38c4c76

SHA1
922063ca4048fb6c57e2cec062943edafcef3247

SHA256
c6300e905071211e34ca9b4330f20e647fef48cd40951d7c0ed46c96813cf260

SHA512
addce865eb0abaa0586be47923776f5abf1d9e4aea3189f7111bf229ee2e9f227778f45a4534302ec2c14006d2ae2862552eaf650f2a554a9e1654fb2699b3e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
53a2e19325c05342f6e0657477c80b84

SHA1
0372fca997f5abb4ad9b41f2bf2879f6400df35f

SHA256
ca882e6bc7ac956a201928aeab5881405c3d012efa7b4bd651a2650ae9bf161a

SHA512
4fe6773d127b2246e644a9687789b77d4650d081a239e8283f03b3aafcd30bf36712cb43e229df04ef0501559c4734e2ad7e9313cea526e6f7603b0b25c7e70a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
022fe45a523cc7c86153438ebdbbe50a

SHA1
9355e31e6d570498fbb673dd1f5ad76e73da08a6

SHA256
3b298b324c9b26c729d253560a92d4d1f38f02fb9e9f85d1f38f00e6e8eada1d

SHA512
cd3f0eb924d2ad7c3eb9bc7fedbc13f81a10c7f115014c0c4b5e50f6cd368f2a05cd0906bac76f5632933cc0dee511c65b43855f2b1e63ed7dde8b333135c832

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
598fd8c85b6420e5de41cdd017a60c2f

SHA1
940b4f9d815d777a2ddb31e7c65b471dde83c88d

SHA256
0b4be4848fc311eaf77f6adbfcaa5b8c28f9050684cefed67b9b84a10b6cb2e4

SHA512
815abfadaaddd7f1432ee474ac57a4c8dd4b51585e92fd0df45de76bcd101cc23ebba5070af8b7810e41ec3a59535940c5aae51553ffc17b6d9a1d90bd6dcba6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fbeadac8ace3c2a468a4bfad0b941a5b

SHA1
cb8d1af282f97c5343ae4e82268953ecd515f914

SHA256
7d72072e2f02f9cbedd29e7e6907fa13f36869959d6a63af6363de719cfa520f

SHA512
6d2012f9f6102963b9722055e43b66de343fc310b8426d5ee56d40ef3af8e09c3885d02428405bee6cac8c8ec9e6f0e94bdd0bf8f1e32a2513e63ba4dd1803bb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
eacc77c6d1e4d76aaf3cb2d2ae81a382

SHA1
65c54913284f15e9915291b2a354029967a9afc1

SHA256
f4e7aa31168fc36d8163ae4e2f7b2944fb2a5eb123cedc8bd34dc7e96bfe0fa1

SHA512
3bf7ab4503ca849f7aa804c22279003f2e76a20251e480fa139b779dc660f42c4d6a3a0041d391cd6dc10f0ee6f5fd0727374719df210c26b68cbc99f42a6fa3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
db6383e5becaf6f6c8298e034594dcb1

SHA1
46ff4a1812d857690a5abac56e01320da8c455f3

SHA256
6ee0a56813c77c9326b3e25ccfb9f33ead45ef5daff24b48f7fd6283d08dc0a4

SHA512
6c61514bbe996e6ea777a3aa28acde632fe942294fcc9b6a3d96edcaf206d78fe4e6e28a3a817180f1a97b39f81a5a2cdfecaf360bc3a337a26c6f50573045ec

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
2f5ba48cf7fb46c109697e6b052c5464

SHA1
397ff8ac74ab434704982fee6a3cd08d36fe8a75

SHA256
b652cd436e6e566992812d3308acc702ce14cb52cde28e6f85c49697b04bfa8f

SHA512
59c4e437924717bbf16865207da08b7ecf4f96b3f426dc454986eaf7d90be0bba16c7ebd988f6b9110b6d643f41e7f388a3e2181ef64b85caf56529c35b4449c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
96e29503b1704cfb83ca5d83c3843095

SHA1
1a3ed9980009b16492520084a4e0ff2e3e0b4d48

SHA256
596132c9bd6a6b12dc032392ebb8752e610614d7db33fc34cdf7c37af7cfce47

SHA512
eacd3504de1fabff6850342baad5dacdc83a1f821ae6a1b0d194c3d2fb5ad2f2de1bf8d8fb5bbae6a9a20834610d68e4064084cb332b253b892a55a553f7ae97

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
5ddb9a2abaad94b0faa254e9cccfd0e7

SHA1
8e15f014c26a3482dd255d2d3ba5f1c53c81f142

SHA256
47e162ec50f980fd2ceebcc7ef8b5286a00d4152334d4679287b4fd8102d8026

SHA512
1e40f6ab86532069e5f460d5eb8cd9f7f0f490bf7b9dc0d34538474f86bc192d1cdbd37e751ae1f6bab1344804408c256af6d1c25f0e257612db5ba78725a999

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
1bee10b5b5078c66eaa80392aab4eda6

SHA1
c9a20388a1e9c7ca035b1f087e15fa4217bca6ec

SHA256
5bceb71329f4db9275935a0e2fe79dbaa6356aebe41a604d640358ffbbc3f94d

SHA512
9b5d607c20424ff4bbc56b21bb285dd7effb0e9ff0133865d05fc12274fbebe19198866767ad1264331af57e5bbd1762dffef0dbb0a1a8b12f3c51c92d1ece0c

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
84f1297b00feec4b3913708c7217e2ab

SHA1
7a9104b634392cc364f578fcd89d7f9916b8c568

SHA256
1bbdcb495e82a7415af3fb2f14726eb6f9ceb5f38d325ec90ea00948d4e7cbc2

SHA512
e1ebe00cdb69d77e357104a174c0abd945bd2fa7bd3742bc2badde3f7b6277a475899d82c1fd064240c1be9c59757d300f44687c8a022d5e1bc1f9dcb2e92658

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d8e481ae1491b9f484a53c380aca6f17

SHA1
9f4fa8741a117d3ef377c4bf12f2ba29d1c6dbbf

SHA256
a1f2549e491047f71a8004929a528993ae15ba8fcf3e26bccede6261fac24045

SHA512
36ee984b8b77812bf00a95a61360c12270c2f846c80b66e5c527595f4b41b5b439dfd9f986a765d5a9abd7d8642af78e0a74577f159f6b8585ed1e4e23b18f6a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
e57ea3e21d2193359aa72a7470eecb9d

SHA1
e449265eb2385c89301b0e013d6a2f9332fad4c2

SHA256
86c36ea608a32d5ce3acbefc173076d31053c7997486b5e251200e9e9cb3c50d

SHA512
2532a6e7ce6e1879eeccd7cf04bc9065f5320f2726c0bc380098fd48d51ad7f529e0194b13d2f8afe14a6cfffce97c90e14044d78f9c6d4b3b1ba1aced493291

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d884076e1eb1d380fb236f2f2e1149d2

SHA1
8ab8f200007f95f9e9eae67ff3a4d68e6ac40664

SHA256
8d2b7fda4b78afd44cf3fd69f3ba7ccb7749bc332f3f3c3b2c9e87c26bbf7317

SHA512
6855bce04d325d6f0c3183c2eb629ce030a57c5a572ad5304532a27b3c3377572495d75fc8b57164910df1d1b02232781c39c697096175a806d7bf71487c9ca1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5bc279dd26a87ccc067d27a0c5d02688

SHA1
61b4815f1a2d0b26f6dacd212c95104d8418effb

SHA256
75ab5676d4547e1ec4284526abc826f43afc65d12e05d21586b8cbc8868aa9f9

SHA512
f2420d95a359995a2426ee6d78a8d63298c293874cd231d3d024318e5b5589cf0d67a6b23d170616bb11e557e16dc2a9a07e9f007da794fcee297cb5e95a2704

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
beffc15277da643b95c05fce404a641c

SHA1
ef84a18a20302ae24b3ebb1ebc09e7946db88508

SHA256
149dc7fe4f6a52bb20164171aec0cde2d759c41786f44d19b8539952c399547d

SHA512
77d070374324a92483397511753c0f8b418294b11c33195de316fe92d941f283fbdd57bdbd39a3b744529bbebb5b456be1641f3bb68d79e177fff4a3ea48f6fd

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
79dabfdd454e3b16ee68be975bfaf623

SHA1
0f9e72243b8cbfe62f09dd3a266536be772e7f8f

SHA256
bb69b6b740ca7f2e0f519469823ba224353d01910cf6cbc669cb337d4acd4eb8

SHA512
a38f31e869f95bbb27e4f82185ad7d1d72ff206ebe8954f46fd527d35f9fbc13cdd865c73417ef89d8a51bffc377477146bb7db0fce9f789e99c74fcd7235cfa

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
84f1297b00feec4b3913708c7217e2ab

SHA1
7a9104b634392cc364f578fcd89d7f9916b8c568

SHA256
1bbdcb495e82a7415af3fb2f14726eb6f9ceb5f38d325ec90ea00948d4e7cbc2

SHA512
e1ebe00cdb69d77e357104a174c0abd945bd2fa7bd3742bc2badde3f7b6277a475899d82c1fd064240c1be9c59757d300f44687c8a022d5e1bc1f9dcb2e92658

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5fd63314939528c3097738eaf909a378

SHA1
ef994b719d48a3adfe05382a2f0304b4825b2241

SHA256
f4705273703391e5bb6de1ea5a12809d2f261017484d552b105bca74e59fccac

SHA512
7d86817ff59011d45da1d7ba6dddf040ef82aa5f8eaaab0501e26e6c2701fe78d070b97bde07ca3060b328b41315e7089c605275582315adf4ec663cb32adb06

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
052b8915fdb1eb4bcb2acc336b18afce

SHA1
d2841cce47fa1d32724694164ce66fa4c0edb86a

SHA256
7bfd9317e1d2d2786565c0eb03f9dc9b9bdf016f768773ad1661d0219dcfe625

SHA512
d83656d138df9787398ee9b0f824f874371dc5b9c58c470f0fa888010b5bf34d10f1c0f69cc9c09289d7b4320eaf19ca481eee6f42ca6413a0bebcba47fb5319

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
afd3471a479ee6593357cd8199f12e2b

SHA1
6ef7c9579afc69c025808b242d3bb2346eb8f545

SHA256
5d00a4132f107ad65ae38b381623e698dd52f9349e2c52de4d4f6b83e4cb4109

SHA512
1f7570d3bad4b69fae7444b9b3ad4a2ad9a9be0312d755f4d50230c113327dc2e038c2951c0874764b1e7b35955fac013d7bb68fe89125baeb3b5b31d061c530

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fbeadac8ace3c2a468a4bfad0b941a5b

SHA1
cb8d1af282f97c5343ae4e82268953ecd515f914

SHA256
7d72072e2f02f9cbedd29e7e6907fa13f36869959d6a63af6363de719cfa520f

SHA512
6d2012f9f6102963b9722055e43b66de343fc310b8426d5ee56d40ef3af8e09c3885d02428405bee6cac8c8ec9e6f0e94bdd0bf8f1e32a2513e63ba4dd1803bb

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
2f5ba48cf7fb46c109697e6b052c5464

SHA1
397ff8ac74ab434704982fee6a3cd08d36fe8a75

SHA256
b652cd436e6e566992812d3308acc702ce14cb52cde28e6f85c49697b04bfa8f

SHA512
59c4e437924717bbf16865207da08b7ecf4f96b3f426dc454986eaf7d90be0bba16c7ebd988f6b9110b6d643f41e7f388a3e2181ef64b85caf56529c35b4449c

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
96e29503b1704cfb83ca5d83c3843095

SHA1
1a3ed9980009b16492520084a4e0ff2e3e0b4d48

SHA256
596132c9bd6a6b12dc032392ebb8752e610614d7db33fc34cdf7c37af7cfce47

SHA512
eacd3504de1fabff6850342baad5dacdc83a1f821ae6a1b0d194c3d2fb5ad2f2de1bf8d8fb5bbae6a9a20834610d68e4064084cb332b253b892a55a553f7ae97

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
5ddb9a2abaad94b0faa254e9cccfd0e7

SHA1
8e15f014c26a3482dd255d2d3ba5f1c53c81f142

SHA256
47e162ec50f980fd2ceebcc7ef8b5286a00d4152334d4679287b4fd8102d8026

SHA512
1e40f6ab86532069e5f460d5eb8cd9f7f0f490bf7b9dc0d34538474f86bc192d1cdbd37e751ae1f6bab1344804408c256af6d1c25f0e257612db5ba78725a999

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
1bee10b5b5078c66eaa80392aab4eda6

SHA1
c9a20388a1e9c7ca035b1f087e15fa4217bca6ec

SHA256
5bceb71329f4db9275935a0e2fe79dbaa6356aebe41a604d640358ffbbc3f94d

SHA512
9b5d607c20424ff4bbc56b21bb285dd7effb0e9ff0133865d05fc12274fbebe19198866767ad1264331af57e5bbd1762dffef0dbb0a1a8b12f3c51c92d1ece0c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
84f1297b00feec4b3913708c7217e2ab

SHA1
7a9104b634392cc364f578fcd89d7f9916b8c568

SHA256
1bbdcb495e82a7415af3fb2f14726eb6f9ceb5f38d325ec90ea00948d4e7cbc2

SHA512
e1ebe00cdb69d77e357104a174c0abd945bd2fa7bd3742bc2badde3f7b6277a475899d82c1fd064240c1be9c59757d300f44687c8a022d5e1bc1f9dcb2e92658

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
84f1297b00feec4b3913708c7217e2ab

SHA1
7a9104b634392cc364f578fcd89d7f9916b8c568

SHA256
1bbdcb495e82a7415af3fb2f14726eb6f9ceb5f38d325ec90ea00948d4e7cbc2

SHA512
e1ebe00cdb69d77e357104a174c0abd945bd2fa7bd3742bc2badde3f7b6277a475899d82c1fd064240c1be9c59757d300f44687c8a022d5e1bc1f9dcb2e92658

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d8e481ae1491b9f484a53c380aca6f17

SHA1
9f4fa8741a117d3ef377c4bf12f2ba29d1c6dbbf

SHA256
a1f2549e491047f71a8004929a528993ae15ba8fcf3e26bccede6261fac24045

SHA512
36ee984b8b77812bf00a95a61360c12270c2f846c80b66e5c527595f4b41b5b439dfd9f986a765d5a9abd7d8642af78e0a74577f159f6b8585ed1e4e23b18f6a

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d884076e1eb1d380fb236f2f2e1149d2

SHA1
8ab8f200007f95f9e9eae67ff3a4d68e6ac40664

SHA256
8d2b7fda4b78afd44cf3fd69f3ba7ccb7749bc332f3f3c3b2c9e87c26bbf7317

SHA512
6855bce04d325d6f0c3183c2eb629ce030a57c5a572ad5304532a27b3c3377572495d75fc8b57164910df1d1b02232781c39c697096175a806d7bf71487c9ca1

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
5bc279dd26a87ccc067d27a0c5d02688

SHA1
61b4815f1a2d0b26f6dacd212c95104d8418effb

SHA256
75ab5676d4547e1ec4284526abc826f43afc65d12e05d21586b8cbc8868aa9f9

SHA512
f2420d95a359995a2426ee6d78a8d63298c293874cd231d3d024318e5b5589cf0d67a6b23d170616bb11e557e16dc2a9a07e9f007da794fcee297cb5e95a2704

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
beffc15277da643b95c05fce404a641c

SHA1
ef84a18a20302ae24b3ebb1ebc09e7946db88508

SHA256
149dc7fe4f6a52bb20164171aec0cde2d759c41786f44d19b8539952c399547d

SHA512
77d070374324a92483397511753c0f8b418294b11c33195de316fe92d941f283fbdd57bdbd39a3b744529bbebb5b456be1641f3bb68d79e177fff4a3ea48f6fd

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.5MB

MD5
79dabfdd454e3b16ee68be975bfaf623

SHA1
0f9e72243b8cbfe62f09dd3a266536be772e7f8f

SHA256
bb69b6b740ca7f2e0f519469823ba224353d01910cf6cbc669cb337d4acd4eb8

SHA512
a38f31e869f95bbb27e4f82185ad7d1d72ff206ebe8954f46fd527d35f9fbc13cdd865c73417ef89d8a51bffc377477146bb7db0fce9f789e99c74fcd7235cfa

Download Submit
memory/320-418-0x0000000100000000-0x0000000100166000-memory.dmp

Filesize
1.4MB

Download
memory/524-85-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/524-86-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/524-93-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/524-232-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/588-339-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/588-341-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/588-322-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/588-315-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/804-225-0x0000000010000000-0x0000000010177000-memory.dmp

Filesize
1.5MB

Download
memory/804-115-0x0000000010000000-0x0000000010177000-memory.dmp

Filesize
1.5MB

Download
memory/804-116-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/804-122-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1256-292-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1328-260-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1328-310-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1328-319-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1328-268-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1328-261-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1664-287-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1664-289-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1664-346-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1688-288-0x0000000100000000-0x0000000100165000-memory.dmp

Filesize
1.4MB

Download
memory/1688-231-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1688-238-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1688-239-0x0000000100000000-0x0000000100165000-memory.dmp

Filesize
1.4MB

Download
memory/1816-405-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1816-413-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1816-411-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-219-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1964-212-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/1964-273-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1964-214-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1972-415-0x0000000100000000-0x0000000100165000-memory.dmp

Filesize
1.4MB

Download
memory/2008-245-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2008-253-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2008-318-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2008-256-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2008-267-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2008-296-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2008-257-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2008-246-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2012-369-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2012-368-0x000000002E000000-0x000000002E185000-memory.dmp

Filesize
1.5MB

Download
memory/2028-347-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2028-394-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-393-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2028-395-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-105-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2376-98-0x0000000010000000-0x000000001016F000-memory.dmp

Filesize
1.4MB

Download
memory/2376-99-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2376-204-0x0000000010000000-0x000000001016F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-220-0x0000000100000000-0x0000000100174000-memory.dmp

Filesize
1.5MB

Download
memory/2480-58-0x0000000100000000-0x0000000100174000-memory.dmp

Filesize
1.5MB

Download
memory/2600-285-0x0000000000E50000-0x0000000000ED0000-memory.dmp

Filesize
512KB

Download
memory/2600-325-0x0000000000E50000-0x0000000000ED0000-memory.dmp

Filesize
512KB

Download
memory/2600-343-0x000007FEF3D70000-0x000007FEF470D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-284-0x000007FEF3D70000-0x000007FEF470D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-338-0x0000000000E50000-0x0000000000ED0000-memory.dmp

Filesize
512KB

Download
memory/2600-420-0x0000000000E50000-0x0000000000ED0000-memory.dmp

Filesize
512KB

Download
memory/2600-286-0x000007FEF3D70000-0x000007FEF470D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-332-0x000007FEF3D70000-0x000007FEF470D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-345-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/2788-412-0x00000000001F0000-0x0000000000257000-memory.dmp

Filesize
412KB

Download
memory/2788-414-0x0000000001000000-0x0000000001166000-memory.dmp

Filesize
1.4MB

Download
memory/2848-361-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2848-304-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2848-306-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2852-406-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2852-399-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2872-351-0x0000000100000000-0x0000000100182000-memory.dmp

Filesize
1.5MB

Download
memory/2872-366-0x0000000000560000-0x00000000006E2000-memory.dmp

Filesize
1.5MB

Download
memory/2880-123-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2880-210-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2880-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2880-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2880-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2880-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download