7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931

Analysis

max time kernel
153s
max time network
158s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 16:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
Size

4.2MB
MD5

51d0dce60904c895f1b67d9ae72b73d7
SHA1

b9d36ce7af3405bd098283e2f9b50254b3058604
SHA256

7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931
SHA512

38a86a40e94d6fd43e60785f0e42e4e617b33822864472adb5cee6bacc19ee41d9f85c694c695ef39bef50bbf98ebdff806f0f1d01f11591166a820064ef16ce
SSDEEP

49152:K08OhxtUg9OUi82w6aQp9dgS1GUL38XhCOYc3iJXv9emEPGKOPkQThMYRMnm7LB/:K08vdsGaQNgS1r6e6ngKpq4D527BWG

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
468	Process not Found
2776	alg.exe
2620	aspnet_state.exe
3060	mscorsvw.exe
2752	mscorsvw.exe
1900	mscorsvw.exe
2512	mscorsvw.exe
1632	dllhost.exe
2316	ehRecvr.exe
2132	ehsched.exe
1088	mscorsvw.exe
2972	mscorsvw.exe
896	mscorsvw.exe
1252	mscorsvw.exe
1304	mscorsvw.exe
2960	mscorsvw.exe
2640	mscorsvw.exe
440	mscorsvw.exe
1572	mscorsvw.exe

Loads dropped DLL 6 IoCs

pid	Process
2648	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3658eeb651113ee7.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5D5E2715-C8B4-4251-8612-35FE9D0CA03B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5D5E2715-C8B4-4251-8612-35FE9D0CA03B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2648	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2648	7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe
Token: SeShutdownPrivilege	2512	mscorsvw.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1088	1900	mscorsvw.exe	37
PID 1900 wrote to memory of 1088	1900	mscorsvw.exe	37
PID 1900 wrote to memory of 1088	1900	mscorsvw.exe	37
PID 1900 wrote to memory of 1088	1900	mscorsvw.exe	37
PID 1900 wrote to memory of 2972	1900	mscorsvw.exe	38
PID 1900 wrote to memory of 2972	1900	mscorsvw.exe	38
PID 1900 wrote to memory of 2972	1900	mscorsvw.exe	38
PID 1900 wrote to memory of 2972	1900	mscorsvw.exe	38
PID 1900 wrote to memory of 896	1900	mscorsvw.exe	39
PID 1900 wrote to memory of 896	1900	mscorsvw.exe	39
PID 1900 wrote to memory of 896	1900	mscorsvw.exe	39
PID 1900 wrote to memory of 896	1900	mscorsvw.exe	39
PID 1900 wrote to memory of 1252	1900	mscorsvw.exe	40
PID 1900 wrote to memory of 1252	1900	mscorsvw.exe	40
PID 1900 wrote to memory of 1252	1900	mscorsvw.exe	40
PID 1900 wrote to memory of 1252	1900	mscorsvw.exe	40
PID 1900 wrote to memory of 1304	1900	mscorsvw.exe	41
PID 1900 wrote to memory of 1304	1900	mscorsvw.exe	41
PID 1900 wrote to memory of 1304	1900	mscorsvw.exe	41
PID 1900 wrote to memory of 1304	1900	mscorsvw.exe	41
PID 1900 wrote to memory of 2960	1900	mscorsvw.exe	42
PID 1900 wrote to memory of 2960	1900	mscorsvw.exe	42
PID 1900 wrote to memory of 2960	1900	mscorsvw.exe	42
PID 1900 wrote to memory of 2960	1900	mscorsvw.exe	42
PID 1900 wrote to memory of 2640	1900	mscorsvw.exe	44
PID 1900 wrote to memory of 2640	1900	mscorsvw.exe	44
PID 1900 wrote to memory of 2640	1900	mscorsvw.exe	44
PID 1900 wrote to memory of 2640	1900	mscorsvw.exe	44
PID 1900 wrote to memory of 440	1900	mscorsvw.exe	45
PID 1900 wrote to memory of 440	1900	mscorsvw.exe	45
PID 1900 wrote to memory of 440	1900	mscorsvw.exe	45
PID 1900 wrote to memory of 440	1900	mscorsvw.exe	45
PID 1900 wrote to memory of 1572	1900	mscorsvw.exe	47
PID 1900 wrote to memory of 1572	1900	mscorsvw.exe	47
PID 1900 wrote to memory of 1572	1900	mscorsvw.exe	47
PID 1900 wrote to memory of 1572	1900	mscorsvw.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe
"C:\Users\Admin\AppData\Local\Temp\7ee18cbf75f819b84217ec40bf36596bf490807f1528189071c4ea094b1b0931.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3060

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 248 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 23c -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 278 -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 23c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2316

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1660

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:2308

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2240

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2116

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2948

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1132

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2720

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:2300

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1684

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2080

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2568
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1154728922-3261336865-3456416385-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1154728922-3261336865-3456416385-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:844
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1064
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
c98fb07bd8bba851cf988b1e1bb178b8

SHA1
18c979002841df198a9c96eccf994ea8e018b92c

SHA256
91c282863d11550ea7050742610eb94d8f44f6615da9de93a30e725ae39bbff5

SHA512
3fd22229485ca8acd8c1430d03970ecd6321af84a0c340f5f12dc7f131a58e2e7331c120d506c96835c583eddd058b084543313d330801338d52f1dca6a43fc7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b87838f89c56212a16cf6b6f90774e2f

SHA1
9f857e265333bf3a5aa4d3967af5e5057246550d

SHA256
97f8998b8f5ef2481de0d7a64602642064ad3db89d46fb3e845a77551ff8e9a2

SHA512
73f01b4d58423c520b628799aabf3b762418268072abaa3292014474df4177546de3242e4761fc62ef433ab160ffcf2b1aba1d9b55225427e5cac68ecc26d125

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cd9f5a5f9b57da46bd5448045b9dc503

SHA1
f273110c62f3d4d76ddfaab693c8ba0b4cc67fe1

SHA256
32d008511838e43fadc2d36bbd9e1abdc0912f25248e4dfbab6f64a131c20030

SHA512
ad46c807f5428d730fd40a80f7d4014e24c89f6cea45ca53f1db5338a797012e9f2a7152fb33df3447089a954626ea502a676a27a151c58325b12b2197b8216e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d0b623f599b3dca41c583729b98f768f

SHA1
44912bb6d579dc0375830922dd74e798fe72db5e

SHA256
875d08b9f2a9eac05883b5c820dcd68e5bc472cff6a060f9a8bad4aa356ce9bd

SHA512
c47003af32f9886c2ba5bb722c0b2810b9acc88a48bc70d35bc4bad221a695bcaf7d7568599db30026f121ddc923211ea594626c77a3b43e64125264339d7987

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3fa75b83c15b9568fc06f00d7b2537a4

SHA1
8badb847363e351d69a1a614d356f49c4e46ba33

SHA256
8ddf29b0b92870fb869a01a798132b2baaf250408ad7872b45b08540affc6352

SHA512
ac2ba0c3ea54bab26da6caeeee5bd79c9d98d550cd9c41b57c8f1dd3f3d5d392151e9d4dcb8c6d71927b3f06240210253113e87238db8b6ef1b9b7051af68b53

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
653e24436a12c73db99d5d76554bda1b

SHA1
8644479280d1c552b8a4fbb3362d34d5baecb7c1

SHA256
19fd8d659161ecedcfcf807b55da9dc7a78ef4fc5fc2fc660c7409f61a2da799

SHA512
5ec7d21d4fd80e13692b503e4f535f1c7d74e012baa9588059cd2c0e13c869814c10358df4ac119e08bf067f5c936f4678d1ddc8c527b32c19dabb71189d2fe4

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
f3af5118bf9d2d68efdf83fbb629e26b

SHA1
c9c4acb029e361145f665c1c56a1e25c5dc4be8c

SHA256
52af3ce8a74bc67f119edd1226f2b5faab80077637e26c42631ad2e0e75786bf

SHA512
6838183a8698761562465033c9a6d54e399c460e12a8e89623bd5cce36e31285e464daaddf04dc146ac848113c13107eacdbd2288794cc5f5946923b8986edab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8541a29b737877c4b769a180a7fdaa4a

SHA1
7f2e1648883f60ecb7e7a261e24104ff90dbd81d

SHA256
bfef5f4436347ef70032d72fa7c92aa42ac15e766789c1a2502bf6d007a10c4e

SHA512
a7cf2d0cdcad20f91b45bb10f20b2235649a77a7059eecf490882da8ddfb572934bf6b6985001dff51e3919e922372b8919e9ffbcd71cb387a41d5cba05204a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8541a29b737877c4b769a180a7fdaa4a

SHA1
7f2e1648883f60ecb7e7a261e24104ff90dbd81d

SHA256
bfef5f4436347ef70032d72fa7c92aa42ac15e766789c1a2502bf6d007a10c4e

SHA512
a7cf2d0cdcad20f91b45bb10f20b2235649a77a7059eecf490882da8ddfb572934bf6b6985001dff51e3919e922372b8919e9ffbcd71cb387a41d5cba05204a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a6f341d2bc760a68bce6b4b0910fe39f

SHA1
3c71eca4d149ad5f4e30256ea36b8ed334b01cce

SHA256
973e6803aab21a05c20e2bfdb4a8257cbc768966da62cd569c97c58791006143

SHA512
71bb07a794901e6b4e92c3574028cb3ddd885df0d7961176185dc4a72aa06f323143b2821d3e23c2f90de9902a0a54b3f9c2448dc6780952bc6128d442b66249

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
1e4cbbfff568c20353f9cdb4baa7a27e

SHA1
6e983a5c63f578cd6950ee5b911ef12cf54f412d

SHA256
7c1f8c67ed4cc2c91a40c6c74c7312d23995d930bf58beea98baa3611e7d57c2

SHA512
6e12027e444431af6152b06eebe7494e216f1e5c323373ca37698cf04b5780f87c414673d5df9eb99985b7c773c5f485d2b1e291adf203a08ec1743dda7cfca4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ff3f6a1b8b2648e8535e35ca529ab6ad

SHA1
65a45a0605d7ed4302d3c67eb8faa65a07571ff7

SHA256
97600e119a9eb8960740dd17f302fdbcf4d6befaab7f95f57524a2cdfb98a4ca

SHA512
3b3a111f64aa79279909da4b1f16796054d0ee3728b30bdf53b9cb8a154367e00353a0382db49e92ff434c41c9db1e6b80a8357928d2c50a87e752d8cffb200f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ff3f6a1b8b2648e8535e35ca529ab6ad

SHA1
65a45a0605d7ed4302d3c67eb8faa65a07571ff7

SHA256
97600e119a9eb8960740dd17f302fdbcf4d6befaab7f95f57524a2cdfb98a4ca

SHA512
3b3a111f64aa79279909da4b1f16796054d0ee3728b30bdf53b9cb8a154367e00353a0382db49e92ff434c41c9db1e6b80a8357928d2c50a87e752d8cffb200f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
98be2052bf9a3cd710b5c17e92306edb

SHA1
e8c879fc1834d5eb9f8565840d057213adef1fd4

SHA256
9e5410d75ec8f7d4769e30fbb2f8d156b7d50418987313b2de930382509727cb

SHA512
71400a320d2336f6185056a8585f506100e2823dba411c31962441074c63b5289a5eb5213e6cdb8bb6829c3148884dfceab1908e5f89a7d485256f985c161e71

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
98be2052bf9a3cd710b5c17e92306edb

SHA1
e8c879fc1834d5eb9f8565840d057213adef1fd4

SHA256
9e5410d75ec8f7d4769e30fbb2f8d156b7d50418987313b2de930382509727cb

SHA512
71400a320d2336f6185056a8585f506100e2823dba411c31962441074c63b5289a5eb5213e6cdb8bb6829c3148884dfceab1908e5f89a7d485256f985c161e71

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
24da170e90f32f83e697331bc74613d4

SHA1
ebd59ed7e858d14e7f46d0555226069eec2b6620

SHA256
c18f9a5dcb17b2aab1a14a9244cb9ea943e426de98dfea3e9bcd7d8dbe5c9570

SHA512
be90315b6da92064ff61d65f0d7260c1c0143d22c054a39b17bed0a947799cf8ad802c9c162244129f08e4c216fba853a99f91c8ea4010d3015200d59a1714cd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d305a0ccbb7fd70652bb34c44ea88b47

SHA1
9eb2f60c170a23b082570a226fab45e854bdf1f9

SHA256
a7092851f4c77dcb9c18b72e80930d69e093c89a8c7fc6931222b4a58dcafd33

SHA512
0e6099758ecfb9055d3ad341ee0c2a379101f58342aad1c3b8a4c4fbb482431cbf7e103bd3e0a17ef44218e8a37e9cb8f6fbfbf7efae2164ecbd2770e9dd3a33

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
35a459a0dd820bcfd7b14240fc9a5ac4

SHA1
00a4d770a99765dd9d092d9708724ab1778753f7

SHA256
00a752cc0304e744e1cfb049cd1574ad6e6b36158d8edc9e6ba5c8ec2b3d28b7

SHA512
50039150334446a5339dcb36580a31c19e9e72bc4532a785335dcd2ac9af1ea55bf36af0ce21760969dd4db828116caac7c63719e0465672161bb843bcaf40f5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
46ecec632a0936be13c501ded8ae0834

SHA1
dd2a41ca451e00946115c909d27b44eb92f4beae

SHA256
3cd538c751dd584b923bc171edb3b762b6d6170aaa762ed4021c2a8dc798204d

SHA512
16f8c1cdb36323158f77f28dbfbf60e80ad427adb9d63751f395fc7e236788e89c67aacfb7c4ab63d0c9ed4c8ebaba9838d1ae31e85b8a1d8a87751883206b36

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
426ae03704c8cf8642fbd14fb0685e75

SHA1
f9236e29dc94aefb54507a859ee5095be12a947a

SHA256
2da6882a13df76eca10fbd522ebc624c595d20fea20bbfc7b11ff86d02843fc2

SHA512
ccb01327c938a29d252731c879d067662fea3391ec42947389a8c60d8a9af11611333f91fabb3750fb89ca230ced98508245ba91f5b6831dbf6dc46e3e57fa9b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
7ecb713dec1cb90754dc9c54f170c043

SHA1
1827cac727b4d77925b65b42b1382426bd68b72d

SHA256
88b2c948152f1dc2912c66214d305ce391487e63f6b1a7e3c54f01a50a992da1

SHA512
ae8c86d9d1165e0b8444a7a60a423d017ccb12e24ad5e7c81468bec107dd1a8a0e05b34beddaef1b9ab20414dd7577bfaf6ef89d2a22afbc48c6c4db82bb51a8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cdb9fc5cb89387c76954760c8613eb87

SHA1
edce784f8565979577540059475367323cefe159

SHA256
3b3a2d73ced94aac5f554f27eb565bfc86ef38e423f7456b80a152dd39fba8c7

SHA512
53395f6d7fa7d67886b812ec522f0d78132ca0ac330193f6eda95454de4ccb871f2996addca3542f77522d9c38021c4dd32517b1f3e3ae952306fea154a68920

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
4e9d90bf4da90275edcdcb099a666f45

SHA1
45663c46a0ab609ba3b2eed16413a163fafe1a99

SHA256
55eb715f59bbf1e8bbb4e8438974eab1e5ddcad06457309aebf0d97958a2dbbb

SHA512
361a00df88e02599c224fea881153960b02e5c3b99d7af4247e70731f8eb9bec1b2d6999050feca3e23fd0df0aef8cb6b59786dc3a44f8fee93e0e359b0ba396

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
19645d02bd0188e313a02ef5df096af1

SHA1
c0116c77a9dff67321c312e697ba1d01d2e043af

SHA256
2964188ee1a2fcb2f313009124add90ae181d73c8ae5575cdd37ec47b90805b5

SHA512
de78a9021eb1f3e1f581c2e3ddb24c6e3c971af79c865058e474c6e206b15f76f8028294ad27c595e89ef32be10c58ae218aa1d541eb4d3682320525a0ed9790

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
96ba180ed44dd5bef153244e9c4fbd22

SHA1
a60d3696dbd306164896a2384b4e39f88aec74fb

SHA256
548e7d8c8a43b409b3237daed2738b5907f99133729a56a9805a775a063d2942

SHA512
7f4264f1e3bab067adaf17e24d12b8fc7039349f30886735d661b4265c9109c1c5b16accaddd746a53ae1d034a70abf83150c3f7ef5e370e0da4c0dcf5dd11d9

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0ae5dc0e97f1009919f9145a1ab33ea6

SHA1
8c17bfe1eabd0bf9481d7488041bb356f5d93151

SHA256
5b45afc0311ee83f4cad06e9e671ede3ba8e04934dcb6874cf17f9860137cb93

SHA512
3c375d2688a57cfde4a85a9c9560b5192cca17e16a13476007ae8ee6d60bddb722e4263eefea95b2eb393c4ae3b513671ce0fd89a81a054b884bb5114aa00c93

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
465ba68cd3470d640e31f367735fc76f

SHA1
2e0f17a12717800dabc6ca55d87296c5edfde3eb

SHA256
cd9716004108de9904c23c9ff2dc9bc7023e898083871b527dec7b0a59562380

SHA512
49062dcf269c99899ed69a1ee8a9ad51adad98462c814b621d45ea5e395bd0865716930664429e1c6c8f91b6780674e9e9e954e285fe23f9c8ed7984d9dbb72d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
e85f46636abb3b40448941fd78af2996

SHA1
6cb634c14be6f93702e5d3546152507fd2a243e5

SHA256
1995497443c15478aa6ae648d7fe24c9fa7354b03e9dbc187daf713b801f2cd2

SHA512
c6c534d8ee93c3037b40dc986486eed64b9d59eca3a5255354cca26661483528af90fd3d8b68ae8255327cd460a880394017182996ab614f2e1812d070475e8d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
244d9be8054ace980897e669012b7c2f

SHA1
db7616e0eebd99fbaf3d4299885ff6c0cbfcf595

SHA256
70ebaa43e4e6413809dd8c1bf7327dc608cae88293201de6f82fd1d7821202ae

SHA512
7a4e121bfc39f9b1d33ee0cc262412cef809161e5539bd6ac9b6657e8f7886afc165e146eff55b866cabbd6385eb00c7c80241a0af979506b8f318e11c1e0377

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3fabfaf17ec536269d77540a40d670dc

SHA1
9c33ce17d198fadf33a4572b80c8497ca10ae651

SHA256
d532fd20719611fef186cc4c8d6bf95777d2fc7f6522100f32cc90d2a1ddd1b1

SHA512
421c8dc0c760f2027a0dc07400557d4a5563af24acc31c5bcc714e47821ebfceb0351d53db67d07156702c6548cb31b14c2a352f6bb5d6fcd47bec5ef5cdd842

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
93eb17c17382437f8b55c074ee04f01a

SHA1
5be4bd56b2e68af40d44ed49cd6349d7bec182b1

SHA256
58d68bb7fe5c871b93eb2c6cae063d3fc76bae4e86fc70aca2c8b2a520b7dc47

SHA512
4ac946b8146d4cc071168fd41de3cf48a592f6f704a002f6ebce705f89d32faaacc6f1b9e6efe4c58d363d9a1393e8a024180921e8b86a85f4a8fc91673694c0

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fc675684cc7c1b299d10a69a3cf95edb

SHA1
53117165ffecf33bc7acb7546a1be20a39a3abc9

SHA256
817622c11379e3e9a7b1d2247350ef1c05807aa63c887c8e8c93626d42d01cce

SHA512
af498912053e93698cd9a0bf7856302cf82f5d11b6cb703990f6bb61db8a0722065295b00fac03840a6696fd48d1493e1f0e99126ec631edc439f39320c5186e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
0ae5dc0e97f1009919f9145a1ab33ea6

SHA1
8c17bfe1eabd0bf9481d7488041bb356f5d93151

SHA256
5b45afc0311ee83f4cad06e9e671ede3ba8e04934dcb6874cf17f9860137cb93

SHA512
3c375d2688a57cfde4a85a9c9560b5192cca17e16a13476007ae8ee6d60bddb722e4263eefea95b2eb393c4ae3b513671ce0fd89a81a054b884bb5114aa00c93

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
653e24436a12c73db99d5d76554bda1b

SHA1
8644479280d1c552b8a4fbb3362d34d5baecb7c1

SHA256
19fd8d659161ecedcfcf807b55da9dc7a78ef4fc5fc2fc660c7409f61a2da799

SHA512
5ec7d21d4fd80e13692b503e4f535f1c7d74e012baa9588059cd2c0e13c869814c10358df4ac119e08bf067f5c936f4678d1ddc8c527b32c19dabb71189d2fe4

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
653e24436a12c73db99d5d76554bda1b

SHA1
8644479280d1c552b8a4fbb3362d34d5baecb7c1

SHA256
19fd8d659161ecedcfcf807b55da9dc7a78ef4fc5fc2fc660c7409f61a2da799

SHA512
5ec7d21d4fd80e13692b503e4f535f1c7d74e012baa9588059cd2c0e13c869814c10358df4ac119e08bf067f5c936f4678d1ddc8c527b32c19dabb71189d2fe4

Download Submit
\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll

Filesize
74KB

MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8541a29b737877c4b769a180a7fdaa4a

SHA1
7f2e1648883f60ecb7e7a261e24104ff90dbd81d

SHA256
bfef5f4436347ef70032d72fa7c92aa42ac15e766789c1a2502bf6d007a10c4e

SHA512
a7cf2d0cdcad20f91b45bb10f20b2235649a77a7059eecf490882da8ddfb572934bf6b6985001dff51e3919e922372b8919e9ffbcd71cb387a41d5cba05204a8

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
1e4cbbfff568c20353f9cdb4baa7a27e

SHA1
6e983a5c63f578cd6950ee5b911ef12cf54f412d

SHA256
7c1f8c67ed4cc2c91a40c6c74c7312d23995d930bf58beea98baa3611e7d57c2

SHA512
6e12027e444431af6152b06eebe7494e216f1e5c323373ca37698cf04b5780f87c414673d5df9eb99985b7c773c5f485d2b1e291adf203a08ec1743dda7cfca4

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
46ecec632a0936be13c501ded8ae0834

SHA1
dd2a41ca451e00946115c909d27b44eb92f4beae

SHA256
3cd538c751dd584b923bc171edb3b762b6d6170aaa762ed4021c2a8dc798204d

SHA512
16f8c1cdb36323158f77f28dbfbf60e80ad427adb9d63751f395fc7e236788e89c67aacfb7c4ab63d0c9ed4c8ebaba9838d1ae31e85b8a1d8a87751883206b36

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cdb9fc5cb89387c76954760c8613eb87

SHA1
edce784f8565979577540059475367323cefe159

SHA256
3b3a2d73ced94aac5f554f27eb565bfc86ef38e423f7456b80a152dd39fba8c7

SHA512
53395f6d7fa7d67886b812ec522f0d78132ca0ac330193f6eda95454de4ccb871f2996addca3542f77522d9c38021c4dd32517b1f3e3ae952306fea154a68920

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
4e9d90bf4da90275edcdcb099a666f45

SHA1
45663c46a0ab609ba3b2eed16413a163fafe1a99

SHA256
55eb715f59bbf1e8bbb4e8438974eab1e5ddcad06457309aebf0d97958a2dbbb

SHA512
361a00df88e02599c224fea881153960b02e5c3b99d7af4247e70731f8eb9bec1b2d6999050feca3e23fd0df0aef8cb6b59786dc3a44f8fee93e0e359b0ba396

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
19645d02bd0188e313a02ef5df096af1

SHA1
c0116c77a9dff67321c312e697ba1d01d2e043af

SHA256
2964188ee1a2fcb2f313009124add90ae181d73c8ae5575cdd37ec47b90805b5

SHA512
de78a9021eb1f3e1f581c2e3ddb24c6e3c971af79c865058e474c6e206b15f76f8028294ad27c595e89ef32be10c58ae218aa1d541eb4d3682320525a0ed9790

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
96ba180ed44dd5bef153244e9c4fbd22

SHA1
a60d3696dbd306164896a2384b4e39f88aec74fb

SHA256
548e7d8c8a43b409b3237daed2738b5907f99133729a56a9805a775a063d2942

SHA512
7f4264f1e3bab067adaf17e24d12b8fc7039349f30886735d661b4265c9109c1c5b16accaddd746a53ae1d034a70abf83150c3f7ef5e370e0da4c0dcf5dd11d9

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0ae5dc0e97f1009919f9145a1ab33ea6

SHA1
8c17bfe1eabd0bf9481d7488041bb356f5d93151

SHA256
5b45afc0311ee83f4cad06e9e671ede3ba8e04934dcb6874cf17f9860137cb93

SHA512
3c375d2688a57cfde4a85a9c9560b5192cca17e16a13476007ae8ee6d60bddb722e4263eefea95b2eb393c4ae3b513671ce0fd89a81a054b884bb5114aa00c93

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0ae5dc0e97f1009919f9145a1ab33ea6

SHA1
8c17bfe1eabd0bf9481d7488041bb356f5d93151

SHA256
5b45afc0311ee83f4cad06e9e671ede3ba8e04934dcb6874cf17f9860137cb93

SHA512
3c375d2688a57cfde4a85a9c9560b5192cca17e16a13476007ae8ee6d60bddb722e4263eefea95b2eb393c4ae3b513671ce0fd89a81a054b884bb5114aa00c93

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
465ba68cd3470d640e31f367735fc76f

SHA1
2e0f17a12717800dabc6ca55d87296c5edfde3eb

SHA256
cd9716004108de9904c23c9ff2dc9bc7023e898083871b527dec7b0a59562380

SHA512
49062dcf269c99899ed69a1ee8a9ad51adad98462c814b621d45ea5e395bd0865716930664429e1c6c8f91b6780674e9e9e954e285fe23f9c8ed7984d9dbb72d

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
244d9be8054ace980897e669012b7c2f

SHA1
db7616e0eebd99fbaf3d4299885ff6c0cbfcf595

SHA256
70ebaa43e4e6413809dd8c1bf7327dc608cae88293201de6f82fd1d7821202ae

SHA512
7a4e121bfc39f9b1d33ee0cc262412cef809161e5539bd6ac9b6657e8f7886afc165e146eff55b866cabbd6385eb00c7c80241a0af979506b8f318e11c1e0377

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3fabfaf17ec536269d77540a40d670dc

SHA1
9c33ce17d198fadf33a4572b80c8497ca10ae651

SHA256
d532fd20719611fef186cc4c8d6bf95777d2fc7f6522100f32cc90d2a1ddd1b1

SHA512
421c8dc0c760f2027a0dc07400557d4a5563af24acc31c5bcc714e47821ebfceb0351d53db67d07156702c6548cb31b14c2a352f6bb5d6fcd47bec5ef5cdd842

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
93eb17c17382437f8b55c074ee04f01a

SHA1
5be4bd56b2e68af40d44ed49cd6349d7bec182b1

SHA256
58d68bb7fe5c871b93eb2c6cae063d3fc76bae4e86fc70aca2c8b2a520b7dc47

SHA512
4ac946b8146d4cc071168fd41de3cf48a592f6f704a002f6ebce705f89d32faaacc6f1b9e6efe4c58d363d9a1393e8a024180921e8b86a85f4a8fc91673694c0

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fc675684cc7c1b299d10a69a3cf95edb

SHA1
53117165ffecf33bc7acb7546a1be20a39a3abc9

SHA256
817622c11379e3e9a7b1d2247350ef1c05807aa63c887c8e8c93626d42d01cce

SHA512
af498912053e93698cd9a0bf7856302cf82f5d11b6cb703990f6bb61db8a0722065295b00fac03840a6696fd48d1493e1f0e99126ec631edc439f39320c5186e

Download Submit
memory/440-249-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/440-256-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/440-258-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/896-199-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/896-200-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/896-172-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/896-185-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/896-179-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1088-143-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1088-153-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-144-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1088-152-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1088-168-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-167-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1252-214-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/1252-197-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/1252-189-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1252-213-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1252-194-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1304-203-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1304-229-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/1304-208-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1304-230-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1304-215-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/1304-228-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1572-270-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/1572-263-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1632-104-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1632-156-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1632-108-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1632-111-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1900-68-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1900-69-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1900-75-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1900-139-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2132-134-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2132-131-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2316-169-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2316-128-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2316-127-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2316-136-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2316-117-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2316-118-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2316-124-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2512-150-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2512-88-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2512-86-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2512-93-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2620-112-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2620-36-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2640-245-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-234-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2648-0-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2648-102-0x0000000002BB0000-0x0000000002BBA000-memory.dmp

Filesize
40KB

Download
memory/2648-1-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/2648-6-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/2648-27-0x0000000002BB0000-0x0000000002BBA000-memory.dmp

Filesize
40KB

Download
memory/2648-29-0x0000000002BB0000-0x0000000002BBA000-memory.dmp

Filesize
40KB

Download
memory/2648-67-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2648-103-0x0000000002BB0000-0x0000000002BBA000-memory.dmp

Filesize
40KB

Download
memory/2752-83-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2752-55-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2776-85-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2776-16-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2776-18-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2776-24-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2960-244-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2960-231-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-243-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-218-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2960-226-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/2972-184-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2972-183-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-158-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2972-170-0x0000000071B90000-0x000000007227E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-163-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/3060-39-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3060-40-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/3060-45-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/3060-65-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download