c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71

Analysis

max time kernel
99s
max time network
153s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
Size

1.8MB
MD5

94b83925e08cb5bb153bec9b04750c8b
SHA1

dc7ad994067d87c04a0650c1ebe1d2f0798f2bf8
SHA256

c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71
SHA512

30c354b0b46600de8b33260da76539a5d9673ee55dfb1b86d64a47146f9d10edefe468a3cb060bf701295744a43a4d7de44656a9af0241100dce5d539ec19d7e
SSDEEP

49152:SK783MoXnFv3dcj7q5LsLp3CceMuczXrSLNiXicJFFRGNzj3:SK78HXnl3dcj7q5KpyceMuczXW7wRGpb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
468	Process not Found
2732	alg.exe
2588	aspnet_state.exe
2256	mscorsvw.exe
692	mscorsvw.exe
1440	mscorsvw.exe
1848	mscorsvw.exe
2112	dllhost.exe
940	ehRecvr.exe
2144	ehsched.exe
2684	elevation_service.exe
2616	IEEtwCollector.exe
2608	mscorsvw.exe
2572	GROOVE.EXE
1600	maintenanceservice.exe
3016	mscorsvw.exe
3048	msdtc.exe
2088	msiexec.exe
2528	OSE.EXE
692	OSPPSVC.EXE

Loads dropped DLL 9 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2088	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a270ef98263a7f60.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\GoogleUpdateOnDemand.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\psuser_64.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_el.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_no.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_it.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT3AC1.tmp	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_is.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_ja.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_bn.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_kn.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_ur.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\psmachine_64.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_de.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_ml.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_bg.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_fi.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_nl.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_zh-TW.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\GoogleUpdateComRegisterShell64.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\psuser.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_gu.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_ko.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_sr.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_zh-CN.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\GoogleCrashHandler64.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_es-419.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_fa.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_fr.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_tr.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\GoogleUpdateCore.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_ca.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_mr.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_sl.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_am.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_es.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_pt-PT.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_sw.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\GoogleUpdateSetup.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_pt-BR.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_sk.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_sv.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\GoogleCrashHandler.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdate.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_hi.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_iw.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_ms.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_te.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\psmachine.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_hr.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_ta.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_da.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_th.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\GoogleUpdateSetup.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\GoogleUpdate.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_cs.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_en.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_fil.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_hu.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AC0.tmp\goopdateres_ru.dll	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{307D6932-C5A5-4D1B-A650-947566BF365A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{307D6932-C5A5-4D1B-A650-947566BF365A}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2708	ehRec.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2524	c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
Token: SeTakeOwnershipPrivilege	2588	aspnet_state.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: 33	1688	EhTray.exe
Token: SeIncBasePriorityPrivilege	1688	EhTray.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: SeDebugPrivilege	2708	ehRec.exe
Token: SeShutdownPrivilege	1848	mscorsvw.exe
Token: 33	1688	EhTray.exe
Token: SeIncBasePriorityPrivilege	1688	EhTray.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeSecurityPrivilege	2088	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1688	EhTray.exe
1688	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1688	EhTray.exe
1688	EhTray.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2608	1848	mscorsvw.exe	43
PID 1848 wrote to memory of 2608	1848	mscorsvw.exe	43
PID 1848 wrote to memory of 2608	1848	mscorsvw.exe	43
PID 1848 wrote to memory of 3016	1848	mscorsvw.exe	46
PID 1848 wrote to memory of 3016	1848	mscorsvw.exe	46
PID 1848 wrote to memory of 3016	1848	mscorsvw.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe
"C:\Users\Admin\AppData\Local\Temp\c97fef9f0924dd1509475bb5c0a8b7874f72f78eb93d70a076bac2fd17228e71.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2256

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2112

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:940

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2616

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2528

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:692

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:800

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2944

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2952504676-3105837840-1406404655-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2952504676-3105837840-1406404655-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f47df195b5eb46de8e215808c39396e1

SHA1
41067b4e922793ab37af30a2c7357e8b13c9e5c5

SHA256
3cb9838fae6432ceef87cc312ed530b1d64786ebf615b8dbe188e23f582eaa59

SHA512
04bf851b3502a44db9199ff4724220d41e3ba1e4f66755b0e05cca796cb090692087ce59655c0f0d86342c0eb3e59208670d575ffdcdc99fdb83a683ca47c938

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
3dfea03fccf57201af969e0b659b95ac

SHA1
e99ffdf3f8d7c723d3c5d2b57491ff8c87ce7b54

SHA256
483c24a120dab53558f15f65dd640cb2e859ad199acd8f227e4fbc3af7303bba

SHA512
0f2408d482e79928b788ac987051220b8b057a4011b57e42c08d02a932b0e36bc4c45ec41d45964ea576b42a3ab461d5add0ed00698dba249e65b62380908bd9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4bae4357d99b8744a99b981c5620e4d1

SHA1
3f54450ec425de2ec4dc8fb8a559075bd5721865

SHA256
a3ffd6ed1e4e16c4606b199aff12ace6e75a20a63e6895bc2bde956720acbce0

SHA512
f680a8d1bf46f7f9e15e01cd19f800c302b5a766c2742d5b5c9d67015a708134988b0e982065b7112077121437d2d32f40b98bd1964ab146e2ba12561561a25e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
355998e57da5363298d7731e4cbb7946

SHA1
079a1e08576b0fbabc2664bfb29f6306baa73592

SHA256
42bac0d7dcfafc740590e4cb88004b0df21486d41a7f39e0bbbd7ae46e986ef7

SHA512
748eef433db6b6b5958f5872973905c33a4403377821baf89c5e263253b81ce2c010a5bc0067c9377b750a5a51e449695b44c5ca8d630ce5e0ff7bf011e21764

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a4cf9cb3bbca5059f4249373522eb09c

SHA1
77c27c14ddae3a103bf0efc67c6daa10870d12e0

SHA256
d5bdd03973accc5472c2bf628d5048e88476b732c173046fc01e782d40a1206f

SHA512
66b08708b408145e8ea40ae9a3ca4fd0eea2072111012d66517db13f39f6c2c8f970a6da7fedce864d455b93775363f71d87d6e9a84bf3b936e9956b4c908cd6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
95b9511e80a986418f1e11ca1df37810

SHA1
01c3ffa061681e094daad6d3061be2d2b121a3ea

SHA256
ed850f6818f63d0bb9e766e2de65297137d80a153fbff903c9bf5497ae5cc7d4

SHA512
7ddd3d9db12fd75541372aa0c24d43a920bae60f9a89d438d4057e0c69d9b63db82c17fbd2017de24c1506afe9f25d872c7ab531dec71e9ecb7896b79c5b1b2e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
14938dbd46860392d92d087a4ca6bc08

SHA1
cdfdc49ebf109f64cb0144afa9b3ef3754863714

SHA256
7dae35c2d369b4aa441d9677650e42526feff241b1db12c849d36940b0f04b1c

SHA512
b9375f5e0cc27aaf7ef4153bcb33170264907c65154db4a52d1615133b680f9919b9b227b6080a89a4e83d631ca1a7d8cb5f28b3fe83179b65ea4beb72ec189d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
3131d9489ff4943b52dae7939c79c6e3

SHA1
30527763c4099eba4bc0816e20b97d6500dafd99

SHA256
9bedb4dde21e4dca0b2f474ae0721be7a1d1eeeefe64d830a04da3fc3dc3e50a

SHA512
b006b0960d3708d48c9e84ae01d4f367812036fe272710d952362c6fb0340a376f34dec178cda3ea5dde442bd88bbe02be7831bdd66a93660cf492794651e36b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
3131d9489ff4943b52dae7939c79c6e3

SHA1
30527763c4099eba4bc0816e20b97d6500dafd99

SHA256
9bedb4dde21e4dca0b2f474ae0721be7a1d1eeeefe64d830a04da3fc3dc3e50a

SHA512
b006b0960d3708d48c9e84ae01d4f367812036fe272710d952362c6fb0340a376f34dec178cda3ea5dde442bd88bbe02be7831bdd66a93660cf492794651e36b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3dabf3e407c4a3380386ec62745cd028

SHA1
7f46b21d62b0e449d04334cf4e5d410e9fb50037

SHA256
9a8091b12d410d47e6b728138213b85b1d05f4f3a358485bac5d6cc10bae7a5b

SHA512
dff982ce92c94a12da53d6aec4779b9388c76383d43f184ad67075fe89fbe60d62329312ca273b7d53e8d59978a6011f3d8abb19853f1cb0fdd0675355077f4b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
05fe82af5ca598a88427182d548a0623

SHA1
126001010de1f64ee04193fc5ffaa3c645d4fde1

SHA256
6c16bbcfd91ab1b3685fac8ada1677b1bc7275922ded20139fe653f06b7091e3

SHA512
fb313f0589004fdc8b3fc46a1c9b3688de076eec447ee72da5cd5a863a1fd72853dd9f9447ae5cf29670cd21b1cd9239157f8a91ed2d0ef92ec422e6fb28174a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d7af2d9c40ddf404cd4230d5e6535449

SHA1
6ebf65929fc1d2fe17b7aa445fd2afe101313f02

SHA256
d6001546b1cfda98535832df5cd89953cc9e07b08588901b53b2ce4252a52ffe

SHA512
4fe0970bdb784e4b16a203aa0b5dae069f6a340bf0cc44bd018d9b92c2d826457a75b27ede1bea1ad160ffac713e831ab4d17ca5e3238bdcb6a71bc32a797df1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d7af2d9c40ddf404cd4230d5e6535449

SHA1
6ebf65929fc1d2fe17b7aa445fd2afe101313f02

SHA256
d6001546b1cfda98535832df5cd89953cc9e07b08588901b53b2ce4252a52ffe

SHA512
4fe0970bdb784e4b16a203aa0b5dae069f6a340bf0cc44bd018d9b92c2d826457a75b27ede1bea1ad160ffac713e831ab4d17ca5e3238bdcb6a71bc32a797df1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d7af2d9c40ddf404cd4230d5e6535449

SHA1
6ebf65929fc1d2fe17b7aa445fd2afe101313f02

SHA256
d6001546b1cfda98535832df5cd89953cc9e07b08588901b53b2ce4252a52ffe

SHA512
4fe0970bdb784e4b16a203aa0b5dae069f6a340bf0cc44bd018d9b92c2d826457a75b27ede1bea1ad160ffac713e831ab4d17ca5e3238bdcb6a71bc32a797df1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d7af2d9c40ddf404cd4230d5e6535449

SHA1
6ebf65929fc1d2fe17b7aa445fd2afe101313f02

SHA256
d6001546b1cfda98535832df5cd89953cc9e07b08588901b53b2ce4252a52ffe

SHA512
4fe0970bdb784e4b16a203aa0b5dae069f6a340bf0cc44bd018d9b92c2d826457a75b27ede1bea1ad160ffac713e831ab4d17ca5e3238bdcb6a71bc32a797df1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
39001604d9a6a056923258bde15dd86a

SHA1
cd03600f6c2745a6fa83ec0986f0ea5e90692a07

SHA256
f992d0fbfac3ab260a941bc64c8780804c25ed6ce4d53c9d22f7240c2e4ad7e8

SHA512
8033f727fba4ef8a0871426cdd213c1cb14ff4d44e333a40fe145754076d1df886ac37c3f2219ff3db9e935b96bef1ef145c5fc2db10f5b9842a7cddf3cff26b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
39001604d9a6a056923258bde15dd86a

SHA1
cd03600f6c2745a6fa83ec0986f0ea5e90692a07

SHA256
f992d0fbfac3ab260a941bc64c8780804c25ed6ce4d53c9d22f7240c2e4ad7e8

SHA512
8033f727fba4ef8a0871426cdd213c1cb14ff4d44e333a40fe145754076d1df886ac37c3f2219ff3db9e935b96bef1ef145c5fc2db10f5b9842a7cddf3cff26b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9dbaf3b75265f7c1a1005bbf8277d4a2

SHA1
2e20b65755858107c06e8561340e505b8f2b81cc

SHA256
ddb55f9f8f497850ae50de445691f33aa2f7b04a4ab3fbda6c628de230abd376

SHA512
8ff8226380950813115e38fd0264a526e4d5e2c301df5bae5e9f7d364bfd559630008fbdcbbe31f8c2c101bfad3fa24e4612d35a242f7082b060d0901370dc5d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3d61a54616d4b1dce7f367105e3524f8

SHA1
89537d960aadd1e4c1b16189672e49d140db21e6

SHA256
2a29a10ec1dc7d7718c416d9ae1424c6564bac09697280756ce06c2eb54853ce

SHA512
4222020e2adf364a07d4b37f0fbff4887a998c94539c633a3eac0ad388a0a4853a15ddea92309bf1de887ba73b41372d727fe9f29e39f5349d42d2e1ac341416

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7d618d93285b108c00ebc64ed728f5b5

SHA1
e7594f74aeb83daf12ecfa56f4e7bee487070740

SHA256
58b99628cd49913255adf99efd5c61f515fe7924423a6c38788d55318f8f8373

SHA512
f8fe5af65234f91038734158988a167656c35de05f950bd3305c7122fd4d114c0260934608489535ad6e311c6f48e9474cf63f87438cffe48ed06f97931914eb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6d831c3355698c7db8a2dd4f43d436d0

SHA1
68e316ad9381e608ee5e9d03dfd545a93fb3c568

SHA256
3f8f438f6aa8200318dcda1a0b55383d416ab63d49a9ac797fa638c1316e6f0e

SHA512
7a1a7cf46e0ee40467337dbdca0582b2591071f60a836c77564d14f454ab3a11ad51bf15dbfeeb3543388893bb75fa61607d79cdd92211ef95a9c1de60578955

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
7e70ce9cb07cf2e5cc0a2dbbd57a68d3

SHA1
c8731b5425e4c71cdff0f16618c90913ab2589c2

SHA256
02fb1f57da21bc0f7adbb2918ff0d489895ac5e756d1a9d4ff5d09d01946dad8

SHA512
d604e24ac6a2dc646a0eed341bfdbff25af54d4be5bf01c10c6353235d15ca6707e3cd0ab15e197f7be46192918d804e8f9c7c071939aa1ea42bda59b79419ff

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
997630c75e163a75ae2ff6b7c7fd503c

SHA1
cae043daa7f78f3860d3d46eef9787c0a35395d9

SHA256
2d043138f803ebcb7a9ef06b93d829c7b90a626a4f5e3649e70115b7414a7358

SHA512
70539c005d03610c1f3525ff74b7fce7aea39590bdbce15664e1beaf60da947878267e36f2de148f830aa0cbb4036c14922a1b12a9aa54aa466fe2c31df800ef

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c34f821f7f74d3dd56f378fcb0137b92

SHA1
b48748ebd759d94e8b72e108b84f01586a1bc93a

SHA256
af2fe84f0df1fc496af849a24e0f856c075dcf9e3e18fb7767f4cfa386980039

SHA512
b31e117351d6f42d7169877aabbfa3c7efe67f906d9176ba4fc85ef781c8260b444ebaa30f4565d818007b955c4e73e7ab24557621796bc31b727cafcd0ca1cd

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
27fdb7aa18fd1a4418d16209658285e7

SHA1
9c711e438b013d638736cbef9da1dd965fc82ab9

SHA256
b214c4ae9a043d47a4ccc164a705c450cb08dccc56cb2f829b61d7eb654931d6

SHA512
6c9e0039a5dfd6f39347be1f3fea445d94f447f9c029c96ece6d91665ac4ad1e94486e0fff635fc0462fd51eb0ac357c6e9fe5a36e6c21d6adf9b18e19ddaad1

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
a02aa14cfa5c9b6ecead77d9288e696d

SHA1
993051bf32c2d8fc2d491c148c5e66153e02e390

SHA256
ab57bdbc90ca5a106cd852ad9096c72234185d14352a643b0d368c138875a2d4

SHA512
152427af79e5b206faeacc30f87966b4a62bc5584c1d8e176cf22fb74cbafa1125fa233017e466e830de369b06b2cdfd102a30f17f24f4d1a1e9904c649796a3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
190300921b2c71f85ea50fdd68224ab3

SHA1
50f7896dd2fc958892e6a29d7f6cfa0937ab9e80

SHA256
f21d87d48b5abfe2ad5f61fbd990029c87cfe77fbd8342bec5b709e703a53df9

SHA512
34400512a3aed1f2d75e13d245708b032635b9343a2613be8e625f5baf12278f16d1185b1c7c81dc0ca9f0a03a2306c84aca6e01f7782c10936b7a2e256a2afa

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
884b7348418d5f3dbc43d5383ec297a3

SHA1
2d1f1ef1a49575344dd340e04d4ebd8371eeb1b9

SHA256
3ecd5b8f3c896aaeb34993f6946b3ee1107e52ce818d5cc857d97fe3b8fcd5e1

SHA512
755f25c9a922544a279c73e95766f6c2a87a1645ed38af8391285186db5b15c44447b8c536dd0b2cc4e2efbe753821a0a406324e4c8e4e1eb3cc091c37d61de1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6893c60cc24554b1d1b351f2939e6d1a

SHA1
9d63ee114a0531e9c76682b6861aab039b568e2e

SHA256
ad4099b97004b5559d291e884d5c68acb21934ebb8faa0b6d4954220095564c6

SHA512
26c5af3dfea6111fde43279a8ca85afa80dfaa678a3b701128f4a441c921fcbfe8a6f0584cafbbda9070f18570ed1a3692b3fd660ff9a64cdcd0f24d353ecdc1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
1242ea2053ed57e7c449ab2b59dd2215

SHA1
ac66da5f40dc52403b7a7fc4e186e99731fd1c2d

SHA256
285da087e19c6de17f70787da5cc35d9f33c6626ae0c71643c913f284ee174c2

SHA512
55661cc3841f3773ebb5eb0f2b3469657b7d84359c71f7617c1f66af914adb87b0df7974848624714c925f10d3f22110c0f931d4e06da599b6d8134757ba30fb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e132befb6c4dd94b64f726751f0ffad2

SHA1
45ea7977583b68c9a5947f4ea2d3e7c2230eef33

SHA256
5c8731b989a3b620d0e47b141df1f26bb04f4046835415d13e543a4faa712418

SHA512
3b1d423aa2a2a4f7622ec89595054e6550b363cd49965ef2ee16953ec18d20c956c0d11a9d3756f54ff72c50735bb9458c0d2b7dbbaa6b3bcf13d983d53fea3f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6fa021c3d9a350763a1fb6e6cbeda90e

SHA1
fd22cb918def2962bbb11faaa02530c5af22dea9

SHA256
f73213637afc003cb6bee02fd14d30940b967102e66a8579b6c602be0cf498d4

SHA512
8a6930e89df6ae88ab7a018647bec5285f661a51e4e4baa96cfd9420e745e96f1c21945505b2c6cacafcf0b557da39b3056c0ba186c3e75fa500513d76443df6

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2151cf0e1e24438e7a2764d1e52eacfd

SHA1
623b4a1940e6565bd88257b458155277dfb75ccc

SHA256
fcdc488a069475e14582f7ae175b399b04a84edf8039cf1a2ccf05ff5c77aac9

SHA512
5461493fe7b6b28718afd201b78acc00eac973c7d33f4b5348bc9c2637fd536fe42d7110e492e32b34ac92fa2b7974ca6e7ebbc182e612a5cfef38562032465c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b1f03d9c13bf6556315c5b177c04b3c8

SHA1
3666a04cf5a319829233c1527818ad157170e146

SHA256
2960a7c4e3bce4fd52f363efad8c23b55f10b938794411ff4744b66445d2fed0

SHA512
a9ba8606d02389402d67fbb7ade14b0d129027efe7001c4f580fcc1dddaeec662f1d54803801bb4cb622ffbcaee3a52f6fb1cb4463e30ab9bcf2a45ae04bb146

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
884b7348418d5f3dbc43d5383ec297a3

SHA1
2d1f1ef1a49575344dd340e04d4ebd8371eeb1b9

SHA256
3ecd5b8f3c896aaeb34993f6946b3ee1107e52ce818d5cc857d97fe3b8fcd5e1

SHA512
755f25c9a922544a279c73e95766f6c2a87a1645ed38af8391285186db5b15c44447b8c536dd0b2cc4e2efbe753821a0a406324e4c8e4e1eb3cc091c37d61de1

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
95b9511e80a986418f1e11ca1df37810

SHA1
01c3ffa061681e094daad6d3061be2d2b121a3ea

SHA256
ed850f6818f63d0bb9e766e2de65297137d80a153fbff903c9bf5497ae5cc7d4

SHA512
7ddd3d9db12fd75541372aa0c24d43a920bae60f9a89d438d4057e0c69d9b63db82c17fbd2017de24c1506afe9f25d872c7ab531dec71e9ecb7896b79c5b1b2e

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
95b9511e80a986418f1e11ca1df37810

SHA1
01c3ffa061681e094daad6d3061be2d2b121a3ea

SHA256
ed850f6818f63d0bb9e766e2de65297137d80a153fbff903c9bf5497ae5cc7d4

SHA512
7ddd3d9db12fd75541372aa0c24d43a920bae60f9a89d438d4057e0c69d9b63db82c17fbd2017de24c1506afe9f25d872c7ab531dec71e9ecb7896b79c5b1b2e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
3131d9489ff4943b52dae7939c79c6e3

SHA1
30527763c4099eba4bc0816e20b97d6500dafd99

SHA256
9bedb4dde21e4dca0b2f474ae0721be7a1d1eeeefe64d830a04da3fc3dc3e50a

SHA512
b006b0960d3708d48c9e84ae01d4f367812036fe272710d952362c6fb0340a376f34dec178cda3ea5dde442bd88bbe02be7831bdd66a93660cf492794651e36b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
05fe82af5ca598a88427182d548a0623

SHA1
126001010de1f64ee04193fc5ffaa3c645d4fde1

SHA256
6c16bbcfd91ab1b3685fac8ada1677b1bc7275922ded20139fe653f06b7091e3

SHA512
fb313f0589004fdc8b3fc46a1c9b3688de076eec447ee72da5cd5a863a1fd72853dd9f9447ae5cf29670cd21b1cd9239157f8a91ed2d0ef92ec422e6fb28174a

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6d831c3355698c7db8a2dd4f43d436d0

SHA1
68e316ad9381e608ee5e9d03dfd545a93fb3c568

SHA256
3f8f438f6aa8200318dcda1a0b55383d416ab63d49a9ac797fa638c1316e6f0e

SHA512
7a1a7cf46e0ee40467337dbdca0582b2591071f60a836c77564d14f454ab3a11ad51bf15dbfeeb3543388893bb75fa61607d79cdd92211ef95a9c1de60578955

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c34f821f7f74d3dd56f378fcb0137b92

SHA1
b48748ebd759d94e8b72e108b84f01586a1bc93a

SHA256
af2fe84f0df1fc496af849a24e0f856c075dcf9e3e18fb7767f4cfa386980039

SHA512
b31e117351d6f42d7169877aabbfa3c7efe67f906d9176ba4fc85ef781c8260b444ebaa30f4565d818007b955c4e73e7ab24557621796bc31b727cafcd0ca1cd

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
27fdb7aa18fd1a4418d16209658285e7

SHA1
9c711e438b013d638736cbef9da1dd965fc82ab9

SHA256
b214c4ae9a043d47a4ccc164a705c450cb08dccc56cb2f829b61d7eb654931d6

SHA512
6c9e0039a5dfd6f39347be1f3fea445d94f447f9c029c96ece6d91665ac4ad1e94486e0fff635fc0462fd51eb0ac357c6e9fe5a36e6c21d6adf9b18e19ddaad1

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
a02aa14cfa5c9b6ecead77d9288e696d

SHA1
993051bf32c2d8fc2d491c148c5e66153e02e390

SHA256
ab57bdbc90ca5a106cd852ad9096c72234185d14352a643b0d368c138875a2d4

SHA512
152427af79e5b206faeacc30f87966b4a62bc5584c1d8e176cf22fb74cbafa1125fa233017e466e830de369b06b2cdfd102a30f17f24f4d1a1e9904c649796a3

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
190300921b2c71f85ea50fdd68224ab3

SHA1
50f7896dd2fc958892e6a29d7f6cfa0937ab9e80

SHA256
f21d87d48b5abfe2ad5f61fbd990029c87cfe77fbd8342bec5b709e703a53df9

SHA512
34400512a3aed1f2d75e13d245708b032635b9343a2613be8e625f5baf12278f16d1185b1c7c81dc0ca9f0a03a2306c84aca6e01f7782c10936b7a2e256a2afa

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
884b7348418d5f3dbc43d5383ec297a3

SHA1
2d1f1ef1a49575344dd340e04d4ebd8371eeb1b9

SHA256
3ecd5b8f3c896aaeb34993f6946b3ee1107e52ce818d5cc857d97fe3b8fcd5e1

SHA512
755f25c9a922544a279c73e95766f6c2a87a1645ed38af8391285186db5b15c44447b8c536dd0b2cc4e2efbe753821a0a406324e4c8e4e1eb3cc091c37d61de1

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
884b7348418d5f3dbc43d5383ec297a3

SHA1
2d1f1ef1a49575344dd340e04d4ebd8371eeb1b9

SHA256
3ecd5b8f3c896aaeb34993f6946b3ee1107e52ce818d5cc857d97fe3b8fcd5e1

SHA512
755f25c9a922544a279c73e95766f6c2a87a1645ed38af8391285186db5b15c44447b8c536dd0b2cc4e2efbe753821a0a406324e4c8e4e1eb3cc091c37d61de1

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6893c60cc24554b1d1b351f2939e6d1a

SHA1
9d63ee114a0531e9c76682b6861aab039b568e2e

SHA256
ad4099b97004b5559d291e884d5c68acb21934ebb8faa0b6d4954220095564c6

SHA512
26c5af3dfea6111fde43279a8ca85afa80dfaa678a3b701128f4a441c921fcbfe8a6f0584cafbbda9070f18570ed1a3692b3fd660ff9a64cdcd0f24d353ecdc1

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e132befb6c4dd94b64f726751f0ffad2

SHA1
45ea7977583b68c9a5947f4ea2d3e7c2230eef33

SHA256
5c8731b989a3b620d0e47b141df1f26bb04f4046835415d13e543a4faa712418

SHA512
3b1d423aa2a2a4f7622ec89595054e6550b363cd49965ef2ee16953ec18d20c956c0d11a9d3756f54ff72c50735bb9458c0d2b7dbbaa6b3bcf13d983d53fea3f

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6fa021c3d9a350763a1fb6e6cbeda90e

SHA1
fd22cb918def2962bbb11faaa02530c5af22dea9

SHA256
f73213637afc003cb6bee02fd14d30940b967102e66a8579b6c602be0cf498d4

SHA512
8a6930e89df6ae88ab7a018647bec5285f661a51e4e4baa96cfd9420e745e96f1c21945505b2c6cacafcf0b557da39b3056c0ba186c3e75fa500513d76443df6

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2151cf0e1e24438e7a2764d1e52eacfd

SHA1
623b4a1940e6565bd88257b458155277dfb75ccc

SHA256
fcdc488a069475e14582f7ae175b399b04a84edf8039cf1a2ccf05ff5c77aac9

SHA512
5461493fe7b6b28718afd201b78acc00eac973c7d33f4b5348bc9c2637fd536fe42d7110e492e32b34ac92fa2b7974ca6e7ebbc182e612a5cfef38562032465c

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b1f03d9c13bf6556315c5b177c04b3c8

SHA1
3666a04cf5a319829233c1527818ad157170e146

SHA256
2960a7c4e3bce4fd52f363efad8c23b55f10b938794411ff4744b66445d2fed0

SHA512
a9ba8606d02389402d67fbb7ade14b0d129027efe7001c4f580fcc1dddaeec662f1d54803801bb4cb622ffbcaee3a52f6fb1cb4463e30ab9bcf2a45ae04bb146

Download Submit
memory/692-199-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/692-106-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/940-250-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/940-240-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/940-247-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/940-233-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/940-253-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/940-333-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/940-326-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/940-234-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/940-241-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1440-200-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1440-115-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1440-116-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1600-316-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/1600-315-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1848-203-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1848-269-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1848-211-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1848-204-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1848-210-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2088-371-0x0000000000530000-0x0000000000739000-memory.dmp

Filesize
2.0MB

Download
memory/2088-368-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2112-227-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2112-313-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2112-219-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2112-221-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2112-226-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2144-330-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2144-358-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2144-359-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2144-249-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2144-246-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2144-256-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2256-97-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2256-198-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2524-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2524-121-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2524-6-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2524-195-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2524-1-0x0000000000240000-0x00000000002A6000-memory.dmp

Filesize
408KB

Download
memory/2572-312-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2572-305-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2588-57-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2588-197-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2588-92-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2588-85-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2608-336-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-334-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2608-335-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2608-298-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2608-311-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-299-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2616-357-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2616-296-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2684-261-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2684-338-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2684-262-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2684-268-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2708-341-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-353-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2708-314-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-347-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2708-295-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2708-293-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-344-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-343-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2708-342-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2708-352-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-329-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2732-196-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2732-15-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/3016-337-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-328-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/3016-320-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3016-345-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3016-346-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/3016-348-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-369-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/3048-363-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download