016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
20/11/2023, 04:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
Size

1.8MB
MD5

860106fca17e736417e6a3a06d08594a
SHA1

a94e11a5447fc749e3bd5d7d98948402f6c31d6b
SHA256

016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd
SHA512

a3044da77aac19253ee75c5260118ccf15de2c2351988b887b3392e82fac11570d60b351ccae1575191da5e7b1559af3ff12a0f95d58d338bf0f7ee50c29cfad
SSDEEP

49152:wKJ0WR7AFPyyiSruXKpk3WFDL9zxnSyRRVepPHf/0Weo:wKlBAFPydSS6W6X9lnxOPHIo

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
464	Process not Found
2724	alg.exe
2844	aspnet_state.exe
2996	mscorsvw.exe
1948	mscorsvw.exe
580	mscorsvw.exe
1476	mscorsvw.exe
1768	dllhost.exe
1720	ehRecvr.exe
2532	elevation_service.exe
1828	mscorsvw.exe
2876	mscorsvw.exe
2516	mscorsvw.exe
2748	mscorsvw.exe
1704	mscorsvw.exe
2172	mscorsvw.exe
2012	mscorsvw.exe
1624	mscorsvw.exe
1904	mscorsvw.exe
1448	GROOVE.EXE
1728	maintenanceservice.exe
1732	OSE.EXE
2976	mscorsvw.exe
1568	OSPPSVC.EXE
2376	mscorsvw.exe
2232	mscorsvw.exe
544	mscorsvw.exe
1592	mscorsvw.exe
1644	mscorsvw.exe
2444	mscorsvw.exe
3000	mscorsvw.exe
820	mscorsvw.exe
1080	mscorsvw.exe
1824	mscorsvw.exe
2100	mscorsvw.exe
2072	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\65dc7a2b5cb36c99.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_ru.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_sk.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_ms.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_cs.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_es-419.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_et.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_hr.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\GoogleCrashHandler64.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_fa.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\GoogleUpdateOnDemand.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_ar.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{198967AA-917E-4C90-872D-B022E39822F9}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\GoogleUpdateComRegisterShell64.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_da.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_pt-PT.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\GoogleUpdateBroker.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_vi.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\GoogleUpdateCore.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_uk.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_lt.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_nl.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D8D.tmp\goopdateres_tr.dll	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4FCB19AB-7A47-4500-B66F-83DD856F89F2}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4FCB19AB-7A47-4500-B66F-83DD856F89F2}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1824	016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeDebugPrivilege	2724	alg.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1828	1476	mscorsvw.exe	37
PID 1476 wrote to memory of 1828	1476	mscorsvw.exe	37
PID 1476 wrote to memory of 1828	1476	mscorsvw.exe	37
PID 1476 wrote to memory of 2876	1476	mscorsvw.exe	38
PID 1476 wrote to memory of 2876	1476	mscorsvw.exe	38
PID 1476 wrote to memory of 2876	1476	mscorsvw.exe	38
PID 580 wrote to memory of 2516	580	mscorsvw.exe	39
PID 580 wrote to memory of 2516	580	mscorsvw.exe	39
PID 580 wrote to memory of 2516	580	mscorsvw.exe	39
PID 580 wrote to memory of 2516	580	mscorsvw.exe	39
PID 580 wrote to memory of 2748	580	mscorsvw.exe	40
PID 580 wrote to memory of 2748	580	mscorsvw.exe	40
PID 580 wrote to memory of 2748	580	mscorsvw.exe	40
PID 580 wrote to memory of 2748	580	mscorsvw.exe	40
PID 580 wrote to memory of 1704	580	mscorsvw.exe	41
PID 580 wrote to memory of 1704	580	mscorsvw.exe	41
PID 580 wrote to memory of 1704	580	mscorsvw.exe	41
PID 580 wrote to memory of 1704	580	mscorsvw.exe	41
PID 580 wrote to memory of 2172	580	mscorsvw.exe	42
PID 580 wrote to memory of 2172	580	mscorsvw.exe	42
PID 580 wrote to memory of 2172	580	mscorsvw.exe	42
PID 580 wrote to memory of 2172	580	mscorsvw.exe	42
PID 580 wrote to memory of 2012	580	mscorsvw.exe	43
PID 580 wrote to memory of 2012	580	mscorsvw.exe	43
PID 580 wrote to memory of 2012	580	mscorsvw.exe	43
PID 580 wrote to memory of 2012	580	mscorsvw.exe	43
PID 580 wrote to memory of 1624	580	mscorsvw.exe	44
PID 580 wrote to memory of 1624	580	mscorsvw.exe	44
PID 580 wrote to memory of 1624	580	mscorsvw.exe	44
PID 580 wrote to memory of 1624	580	mscorsvw.exe	44
PID 580 wrote to memory of 1904	580	mscorsvw.exe	45
PID 580 wrote to memory of 1904	580	mscorsvw.exe	45
PID 580 wrote to memory of 1904	580	mscorsvw.exe	45
PID 580 wrote to memory of 1904	580	mscorsvw.exe	45
PID 580 wrote to memory of 2976	580	mscorsvw.exe	50
PID 580 wrote to memory of 2976	580	mscorsvw.exe	50
PID 580 wrote to memory of 2976	580	mscorsvw.exe	50
PID 580 wrote to memory of 2976	580	mscorsvw.exe	50
PID 580 wrote to memory of 2376	580	mscorsvw.exe	53
PID 580 wrote to memory of 2376	580	mscorsvw.exe	53
PID 580 wrote to memory of 2376	580	mscorsvw.exe	53
PID 580 wrote to memory of 2376	580	mscorsvw.exe	53
PID 580 wrote to memory of 2232	580	mscorsvw.exe	54
PID 580 wrote to memory of 2232	580	mscorsvw.exe	54
PID 580 wrote to memory of 2232	580	mscorsvw.exe	54
PID 580 wrote to memory of 2232	580	mscorsvw.exe	54
PID 580 wrote to memory of 544	580	mscorsvw.exe	55
PID 580 wrote to memory of 544	580	mscorsvw.exe	55
PID 580 wrote to memory of 544	580	mscorsvw.exe	55
PID 580 wrote to memory of 544	580	mscorsvw.exe	55
PID 580 wrote to memory of 1592	580	mscorsvw.exe	56
PID 580 wrote to memory of 1592	580	mscorsvw.exe	56
PID 580 wrote to memory of 1592	580	mscorsvw.exe	56
PID 580 wrote to memory of 1592	580	mscorsvw.exe	56
PID 580 wrote to memory of 1644	580	mscorsvw.exe	57
PID 580 wrote to memory of 1644	580	mscorsvw.exe	57
PID 580 wrote to memory of 1644	580	mscorsvw.exe	57
PID 580 wrote to memory of 1644	580	mscorsvw.exe	57
PID 580 wrote to memory of 2444	580	mscorsvw.exe	58
PID 580 wrote to memory of 2444	580	mscorsvw.exe	58
PID 580 wrote to memory of 2444	580	mscorsvw.exe	58
PID 580 wrote to memory of 2444	580	mscorsvw.exe	58
PID 580 wrote to memory of 3000	580	mscorsvw.exe	59
PID 580 wrote to memory of 3000	580	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe
"C:\Users\Admin\AppData\Local\Temp\016648c52d22322a90ba8d53e6c27797ba3b00247d911fcaa54c4fc8b27497bd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2996

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 258 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 26c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 270 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 268 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 244 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 288 -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 270 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 294 -NGENProcess 29c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2bc -NGENProcess 120 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2bc -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 2c8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1768

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2532

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1728

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
d58ca8bca2a21bb63f6e08037603ac86

SHA1
396812a8b9aff144ab7f0ee048d26d7588aa345c

SHA256
9ce101cd941aa04b85d1a41bc783ae0beff6a156ffb88ba58ed59e535c804474

SHA512
6e567f2056f4e2fc97777c7cf37bb53f1c2abfd30b641c9ca661ebeb95f7ef76e09490bb90f8d39250db0020493a3cc7710106910f6b74edb91567e9cab9247c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b5f58ed17174d98a2fbc44a180b71deb

SHA1
ee59f1a9187bab279432c25a72f80d7e9ebde37e

SHA256
a649154f0d840d851dd60b2647f6e88498c97341d9d59a95803918270c37132d

SHA512
4ddc94c88dc51d2e7a058411f9ef7607aa74f371be8d19d286929fe7673bbd572602c1b6253039dd7356e61e1f548d73f28087718eb60c9c59fe23b8990ead9f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
2d7e544dba5117217584500b106c12f7

SHA1
cecf67acfe7142fb95d6974f84e39373be0da6b0

SHA256
7db8ed4048a1497766f720e183ac33751b0303b4387d9b14691e2728bdcd4a75

SHA512
273d2609f2a86513575be8b7940d8e01735436a82c5afda20e2b7095a350045871258403692548c0bbf05014057dee2c8193d1cdaa52fa6c62dbd18441b228ed

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d6ab49d4f3d67741961b13186068f15c

SHA1
8473521f09ec6a07d92ccaec8fc805035ca5ff34

SHA256
74b4d87048aff0aedab8995555502a40a9194ae3105789ad412a72e5e4d154c5

SHA512
461257f3a842c970cf40badb21767860fb0fdee74b0dc8a21ee9a1e9c9b25a6dcebee95c9ec5d90f78fcb905108d66053b86599cc570b3b03345e6a8c949a6ec

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
bf324ed236e85f105f25ac33ebaadb4a

SHA1
4d6fb28e99ab33bbebf299975ea234b22ee4fdd9

SHA256
84a1e11ccd279fa3387c7201aa44cdb61705a657bbd01172c302f368575ae01b

SHA512
a612462ca7e2bee3141ba888691f864f53f4ec8e5fd922aa3a5e058511e832a75258321dab754b9b41f73c4d31adcd77d0ef4e6a99920dba9c73eaddc76e5a4c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
92884c3ebe690532f08018789f732cd0

SHA1
7f8d14dec0d3d058fa433acedc2baaec34921c10

SHA256
deb8089b43610a7b0c490a3a8f65b1a81efa7b005c13fca1ffa85ab7e7b8262e

SHA512
7a72818b0c37ffe63da99be53db40d4ff015eb84208842fcab6dd862f80bd60277554a7b512882e080c91ee9a37714923d63015ac14ecdc174185d117af9b3b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
92884c3ebe690532f08018789f732cd0

SHA1
7f8d14dec0d3d058fa433acedc2baaec34921c10

SHA256
deb8089b43610a7b0c490a3a8f65b1a81efa7b005c13fca1ffa85ab7e7b8262e

SHA512
7a72818b0c37ffe63da99be53db40d4ff015eb84208842fcab6dd862f80bd60277554a7b512882e080c91ee9a37714923d63015ac14ecdc174185d117af9b3b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
55c7d5df63204430c7ee2c47a75480d9

SHA1
6290dd8de59df19ea04ff1915de8d118bde4c03c

SHA256
d40a4c556bc34398442729929bc79328a6af9c1eda85abfb99f8221b014ec431

SHA512
49ba14578c82520e818fca77aaa41ce04848fd6abf999823a2e36652bf6eb1f968bde2b9fb7fce8af65f8c39b200558392d929c97eb9975f4aa01802e32e55ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
48c4fad235c8db29736867afbd30eb77

SHA1
cbdf4d08910d872cf554d92cd8c218817d59d35a

SHA256
6d05ff981e25d6016225d6688e613f0ec4bd73ddb98d727610d1c836914c9948

SHA512
f8ad4e1196617b225d9c8f1ff0e7a370cfa2acc3654cb0718d893a24d603a9917c2936d58e4a7c87fb4ce588968c5d96a7438ef3cf3518fb7279429c51333afa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bb7c5ec67f7d970d71dc5dcc592ac0db

SHA1
bfa30942ba77ed627bba78b809ff6cce8e165168

SHA256
48331defea329a0a47e772270e26d3c0de805d99e3c4c010fbca6d31773fe3ee

SHA512
376844f6af250dbe436bbac23d0ce0a44d1f770e9603add37b012d995b287320109247946b436e64bd7aa931457b0758bcf731369829395aab25db1c0dd5ef11

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bb7c5ec67f7d970d71dc5dcc592ac0db

SHA1
bfa30942ba77ed627bba78b809ff6cce8e165168

SHA256
48331defea329a0a47e772270e26d3c0de805d99e3c4c010fbca6d31773fe3ee

SHA512
376844f6af250dbe436bbac23d0ce0a44d1f770e9603add37b012d995b287320109247946b436e64bd7aa931457b0758bcf731369829395aab25db1c0dd5ef11

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bb7c5ec67f7d970d71dc5dcc592ac0db

SHA1
bfa30942ba77ed627bba78b809ff6cce8e165168

SHA256
48331defea329a0a47e772270e26d3c0de805d99e3c4c010fbca6d31773fe3ee

SHA512
376844f6af250dbe436bbac23d0ce0a44d1f770e9603add37b012d995b287320109247946b436e64bd7aa931457b0758bcf731369829395aab25db1c0dd5ef11

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
bb7c5ec67f7d970d71dc5dcc592ac0db

SHA1
bfa30942ba77ed627bba78b809ff6cce8e165168

SHA256
48331defea329a0a47e772270e26d3c0de805d99e3c4c010fbca6d31773fe3ee

SHA512
376844f6af250dbe436bbac23d0ce0a44d1f770e9603add37b012d995b287320109247946b436e64bd7aa931457b0758bcf731369829395aab25db1c0dd5ef11

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
0b7792e2b4d8db49ae3edaa03596b753

SHA1
275b1723a14c35caafb56c5387bb213d1696a748

SHA256
c4a3831b9837453bf16d4e25e0a121dd0a34c38d6ed660d1906aea59d6864ad1

SHA512
29f133bb50cf80569617686cde6c72c516597f0150cee1f59384e2986b98988f112d0b0c01f5eb4bd04e1fe8def5b59cd33a75d8f9682411c66a176e96555d1b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
0b7792e2b4d8db49ae3edaa03596b753

SHA1
275b1723a14c35caafb56c5387bb213d1696a748

SHA256
c4a3831b9837453bf16d4e25e0a121dd0a34c38d6ed660d1906aea59d6864ad1

SHA512
29f133bb50cf80569617686cde6c72c516597f0150cee1f59384e2986b98988f112d0b0c01f5eb4bd04e1fe8def5b59cd33a75d8f9682411c66a176e96555d1b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a4aa2e96ee982b50c96925bdee3dbeb8

SHA1
619b92652fc5d96703e104108664484d2422c964

SHA256
7750d955681cc02498ebee8b2da09c84b70521238bfdecc8637f1ac700ae9ccb

SHA512
8de3525f2fab45ebb88c2386befcc6282590d5b20b8eb0ee19b48fdd23fc91daef99baa758bd27eb105a782a65faa905b3a2a71dfebad48fe12c1fbad68d4ce5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
c002de85f96fb252f5554d5db14f875d

SHA1
0e3c218ea4a49580222d95f486bedaea73abd19d

SHA256
ff8920d56381532de5eb58f998278d5f312f4e2f1dba8d3b2be0a401e19f17eb

SHA512
fbb0d1497ae155c17011203b475b537c7bc3e21fba040b1d1bc9f45027808c7a52c23cd322f9cfb2086d650a3819286ae170dc9c5ac74194ac78cefbb679668d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.1MB

MD5
916e180d32564ac824bf8326f5fdee84

SHA1
e0670ffd7f453cb3e408fd246b7d31437dddb078

SHA256
2cbce20d0e4ea287da031a270e1c942dbc6f74724d6b20eddfff1e75538abeab

SHA512
752a358a148ed5025a72199c715f66d7db275777bc0b3edda6439593bf87f6ba857e2502b5b5c4277cfbca08a64468b77c94fd534551fe7ceb95e72da1916f42

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
ae7853fb7867a07632966cfdd077a265

SHA1
6ab2a63a6dd841a4417eb5fdb27930cb6f2b4928

SHA256
9f4bff4e609a98ea611e88e59d55c0ce323c2c2213cb65c98e51f861e5340c9f

SHA512
3383d625e567a43902f7dd25ebff356de266c9101ceb520bf35a9e7271337f96d77530b5d8e73fd32c4cb593dca3f52d62f1b45f7a34b6f4615f8ad5a5a744cd

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1fed5cd05af94f67829ed14d98a64018

SHA1
aa68feef40f73f510f0c9eb4c5ab964f55533252

SHA256
9e652e937cd7906db83be752a2459d8572953d55336ba771bead4af12d759d33

SHA512
d730d8a6356ef0f9b9b63b69ca8a8060e597a7b85d49178cf3bd1192cbf3a33c9d94e7772bee5ec272d1614bba140ca5d4dc427652337f54c4cbe9773791c6e9

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
92884c3ebe690532f08018789f732cd0

SHA1
7f8d14dec0d3d058fa433acedc2baaec34921c10

SHA256
deb8089b43610a7b0c490a3a8f65b1a81efa7b005c13fca1ffa85ab7e7b8262e

SHA512
7a72818b0c37ffe63da99be53db40d4ff015eb84208842fcab6dd862f80bd60277554a7b512882e080c91ee9a37714923d63015ac14ecdc174185d117af9b3b7

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
48c4fad235c8db29736867afbd30eb77

SHA1
cbdf4d08910d872cf554d92cd8c218817d59d35a

SHA256
6d05ff981e25d6016225d6688e613f0ec4bd73ddb98d727610d1c836914c9948

SHA512
f8ad4e1196617b225d9c8f1ff0e7a370cfa2acc3654cb0718d893a24d603a9917c2936d58e4a7c87fb4ce588968c5d96a7438ef3cf3518fb7279429c51333afa

Download Submit
\Windows\System32\alg.exe

Filesize
1.1MB

MD5
916e180d32564ac824bf8326f5fdee84

SHA1
e0670ffd7f453cb3e408fd246b7d31437dddb078

SHA256
2cbce20d0e4ea287da031a270e1c942dbc6f74724d6b20eddfff1e75538abeab

SHA512
752a358a148ed5025a72199c715f66d7db275777bc0b3edda6439593bf87f6ba857e2502b5b5c4277cfbca08a64468b77c94fd534551fe7ceb95e72da1916f42

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
ae7853fb7867a07632966cfdd077a265

SHA1
6ab2a63a6dd841a4417eb5fdb27930cb6f2b4928

SHA256
9f4bff4e609a98ea611e88e59d55c0ce323c2c2213cb65c98e51f861e5340c9f

SHA512
3383d625e567a43902f7dd25ebff356de266c9101ceb520bf35a9e7271337f96d77530b5d8e73fd32c4cb593dca3f52d62f1b45f7a34b6f4615f8ad5a5a744cd

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1fed5cd05af94f67829ed14d98a64018

SHA1
aa68feef40f73f510f0c9eb4c5ab964f55533252

SHA256
9e652e937cd7906db83be752a2459d8572953d55336ba771bead4af12d759d33

SHA512
d730d8a6356ef0f9b9b63b69ca8a8060e597a7b85d49178cf3bd1192cbf3a33c9d94e7772bee5ec272d1614bba140ca5d4dc427652337f54c4cbe9773791c6e9

Download Submit
memory/580-126-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/580-127-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/580-133-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/580-269-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/1448-400-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1476-142-0x0000000140000000-0x00000001401B5000-memory.dmp

Filesize
1.7MB

Download
memory/1476-287-0x0000000140000000-0x00000001401B5000-memory.dmp

Filesize
1.7MB

Download
memory/1624-382-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/1624-378-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1704-353-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/1704-352-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/1704-328-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/1704-335-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1704-340-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-253-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1720-247-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1720-307-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1720-257-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1720-235-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1720-238-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1720-254-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1720-323-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1720-246-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1768-152-0x0000000100000000-0x000000010019C000-memory.dmp

Filesize
1.6MB

Download
memory/1768-298-0x0000000100000000-0x000000010019C000-memory.dmp

Filesize
1.6MB

Download
memory/1768-158-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1768-151-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1824-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1824-239-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1824-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1824-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1824-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1828-339-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1828-268-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1828-261-0x0000000140000000-0x00000001401B5000-memory.dmp

Filesize
1.7MB

Download
memory/1828-262-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1828-284-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1828-282-0x0000000140000000-0x00000001401B5000-memory.dmp

Filesize
1.7MB

Download
memory/1828-283-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1904-401-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/1948-143-0x0000000010000000-0x00000000101AE000-memory.dmp

Filesize
1.7MB

Download
memory/1948-113-0x0000000010000000-0x00000000101AE000-memory.dmp

Filesize
1.7MB

Download
memory/2012-381-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2012-380-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-368-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-365-0x00000000005B0000-0x0000000000617000-memory.dmp

Filesize
412KB

Download
memory/2172-366-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-350-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2172-367-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2172-354-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-306-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2516-308-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-321-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2516-300-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2516-322-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-318-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2532-251-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2532-252-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2724-51-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2724-50-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2724-62-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2724-61-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2724-159-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2748-338-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2748-324-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-337-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-320-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2844-248-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/2844-94-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/2876-288-0x0000000140000000-0x00000001401B5000-memory.dmp

Filesize
1.7MB

Download
memory/2876-285-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2876-272-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2876-286-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-295-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-293-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2876-294-0x0000000140000000-0x00000001401B5000-memory.dmp

Filesize
1.7MB

Download
memory/2996-123-0x0000000010000000-0x00000000101A6000-memory.dmp

Filesize
1.6MB

Download
memory/2996-97-0x0000000010000000-0x00000000101A6000-memory.dmp

Filesize
1.6MB

Download
memory/2996-98-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2996-104-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download