22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab

Analysis

max time kernel
116s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
Size

1.8MB
MD5

3777035f57a056bfb8385e359b394599
SHA1

c03866e52ba887911493e852512a9b0f15761d23
SHA256

22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab
SHA512

363e78110fa5dde6cc89fbf66e383d677660e5552729356ac9952585d860286413788ad97a07cf131adf200daa9743730b49534441694f64f952d176787193f4
SSDEEP

49152:PKJ0WR7AFPyyiSruXKpk3WFDL9zxnSi/snji6attJM:PKlBAFPydSS6W6X9lnpEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
464	Process not Found
2852	alg.exe
2900	aspnet_state.exe
1904	mscorsvw.exe
1932	mscorsvw.exe
1488	mscorsvw.exe
1396	mscorsvw.exe
896	mscorsvw.exe
592	ehRecvr.exe
1856	mscorsvw.exe
1596	dllhost.exe
2596	elevation_service.exe
2632	GROOVE.EXE
1680	maintenanceservice.exe
1824	OSE.EXE
1320	OSPPSVC.EXE
1052	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f46529b31b98a6ad.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_hu.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_pt-PT.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_ta.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdate.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_hr.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_fil.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_sr.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_am.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_vi.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_es.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_th.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_zh-CN.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_bn.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_sk.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_ca.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_en-GB.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\GoogleUpdateOnDemand.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_ml.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\GoogleUpdateCore.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3312.tmp\goopdateres_mr.dll	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{917469E3-04C4-4C88-A87F-14EECA9020A2}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{917469E3-04C4-4C88-A87F-14EECA9020A2}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3024	22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	1396	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	1396	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	1488	mscorsvw.exe
Token: SeShutdownPrivilege	1396	mscorsvw.exe
Token: SeShutdownPrivilege	1396	mscorsvw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 896	1396	mscorsvw.exe	34
PID 1396 wrote to memory of 896	1396	mscorsvw.exe	34
PID 1396 wrote to memory of 896	1396	mscorsvw.exe	34
PID 1396 wrote to memory of 1856	1396	mscorsvw.exe	36
PID 1396 wrote to memory of 1856	1396	mscorsvw.exe	36
PID 1396 wrote to memory of 1856	1396	mscorsvw.exe	36
PID 1396 wrote to memory of 1052	1396	mscorsvw.exe	45
PID 1396 wrote to memory of 1052	1396	mscorsvw.exe	45
PID 1396 wrote to memory of 1052	1396	mscorsvw.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe
"C:\Users\Admin\AppData\Local\Temp\22081e1b19b3a5b63d65154da73a96b45e8a926b502be7cec228201f3d523dab.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1904

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:592

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2596

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2632

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1680

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1824

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
398KB

MD5
7d66f3fe23f8bcd04ae8f8b635d10a74

SHA1
4785e2a2bbd186064875bc236ec38ca0765e09ad

SHA256
54fe487433d4807cdae59ac771a2312e0ce395ef342695362cc11ba0c151fa5b

SHA512
1ccf150c0d452ee4bc4ca30e4a327aab4de098ba80ee0917a7b5896fbc9538a0d642a986bb628443c07226b44a566e5b9ebeb23f3bddfeb1faaff2585ab90d64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.5MB

MD5
f70aa73752b3dba1df95c59c3dc65dcb

SHA1
5443f8efaeacc1c78e2e46bbadb124970e5fddfb

SHA256
ae8ab8e9463f721103f3e508b778075a7f2e7bcac13cd099e5115a8690a2f644

SHA512
b7c58e9b829c1fabddc95b63f1873ce7647f81d4a6cb31cbf51fba51b9eb61a9f5ee6eff3ab86943b73583d0a681bdbc6656e3574e525125faada8c44a76a8cf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
840KB

MD5
9f0ea3827576f0559ce4fb18f7a73e23

SHA1
b82212fe7284d7c7010d1f3c67e430811d0657b5

SHA256
413e5762fd6973c609c4410adb77827c37277d5fbbde0c9128102b348de1447c

SHA512
7b0520d57fcd74583fca3e6676681b9bd948226d99b305c25a5c31974999804b0f71b84f168da343e7f8ea640f357bd897ebce02f00aab52f5b290f5868302dd

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
438KB

MD5
7bebc810dfca4ffa9a830744e3841f3b

SHA1
3bccc4d53a896e0249a0b74f6cb089b50697f171

SHA256
8db5ba660fc00edf5b8dc11053091beaf31fffd074df27f78aa3af4acc65e225

SHA512
8de45ce367e58892dc6a9ef5e28bf80c6d12cfff178664f86ed4ad71d4786da44f5784420828d4a59fccf3db6882988f3f6082a9a760e102b83be935d865e5f0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
64KB

MD5
2db59ec06c5812c8597bf24b77fa8e18

SHA1
0be60ecbecfd8adbe05977884532fea3b9f58d4e

SHA256
d43aa5d7846325104caf9677fc8cc6f02cbc1c7cd49a85ce3a19cc71a7c35358

SHA512
689b82b936a545d5230b722c8cb92395ee2e83d578341381f5d4c7cc0dd9a538194912e3f19bb0d393850dbb1e6e4626fe9a02ecaa9682d0222300054e3c8bed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
82KB

MD5
722beeca22d6bd60f354ff980e620062

SHA1
defc8bdef062ec80be966fa3fa264bde03eefc17

SHA256
079cf895a5c329de9bec574d884ed054d9dcf257c9d9bb52ac88da4ecff2c3f9

SHA512
bd1e3a7f26b6ba7e8b840acdc28dedd4a4803bfca945a061deb3a67a1d209670b4649d4b2f4e9c90dbdacf110ed02eae1881a1cb085f448c1629cb76bf3a02b4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
475KB

MD5
43571024bbce394cc33d36bb2d6942b0

SHA1
dded2641c97e17f3a08205451635bcce1fc3a501

SHA256
bb19ef8ac818ba086cb1ef6e18d264d0eb8774cf27d22e28b082da80275e2f99

SHA512
d3c6fe346d6c4818f15eda906ec1a0065cbad10b5c23001b9988ee79323d8e0e1e83df91d7c939c3accdda5ae0f9cf96d590965b1e4d7741b4438ead2b0dea45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
290KB

MD5
023fc7219e923c0a3bf5d469d22a54cd

SHA1
97376bcf23c915eab9b4a8194aecaf36ef0e0752

SHA256
7a05c04379c0f09807948efc2e9020453e4a8e1126b85fc9b8e34d6d0712f596

SHA512
9d04dba70c50a20f2d436634cf5a16f225ba572bb0ec6544ada886c10472725b27c7e865abcb6772d9ed2ff91c8462781353d50eb57dddabe1a247b5c99b142d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
621KB

MD5
0564528098c10a65a4f20f59926d63aa

SHA1
59a513f3151b7be66c6321d51116596b47ff0cbe

SHA256
368e6c3dd7b896b435b17cca24396e32bbbd3c18cb6bcf37b4c221111008d27a

SHA512
4029551be71e1efd70677fecd0805fda7a10da7dcd07f1c2329ca70355ca20addf1a097223ff1b4119720d915b33824b31cc0b50735a28d459188f0bd46ce7d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
57KB

MD5
55aaec9b25a6897dc5f7bc45855fbf77

SHA1
4b4dd1bbffc13b57c9cb625aab54a382c329a368

SHA256
a1034276301e0a49fb3dd49d339c6d9ac1c4ba06c687cb13a17c4959ee42e363

SHA512
284764da71904a491ee509b06fce6e8e7a4517feaa58db215caf509d5eb7318d209320684b154b802e97928409b37a07f9e6430eb5dcf16c0ab31002346da617

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ef5f38eee5fd09f517cdefa1e9933c6c

SHA1
b99133d78de51682a609f762db4d0b7522ad2111

SHA256
aed62d4973fb8e226e54d0e47e832ac81df28726697efda2f1815b5cb1fe3d47

SHA512
6a05f94a2082d988bcad74d3274c8857f79ec1bf31f4c3573091a04b16ee9e8399ff9f718bc9bbe7c398e356d89aecc478ec3d8701d47ac5ab4f2eda2942bc58

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
fd79750c1e87b7eede28272fdb79ad55

SHA1
e92fe7e5a2b8066c11c617e1498aa7f32e611d2a

SHA256
30ed1e79a5d9d8ab54f5370317fc9cb6d0d4f4d2c09cb7a08b1cd5d36fd8cc45

SHA512
99ff0a27f3a32fd5c69173748cb49d4c721616c2edcb0b083a557899d5f0de0d65e76495498e5238ddcb84482943a302ff8bf51283692edc5bdc61c81c659ac1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1011KB

MD5
180f33fd15a3f25409e7d1a5b5900447

SHA1
75a247361ea2e7ef567ecf03036849ea4d0f811e

SHA256
67fce3227c9782f355bb52bc5fefc734fa7ff6d8ff8dcd8c48ec94fb971f11fe

SHA512
431a2df97476bba1054d1b95515a110761ddbb2634b52bf41688c1e60479341870f1e5c4ead15761f259de2be9a51279f7d816acdd2fdf274521e9ae4f90acd5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
64KB

MD5
5f72f008fc48c1514ac03553fb3fc6f2

SHA1
9dd77fadc2f0cb58f2ea2de84e50f2e7d49b09d4

SHA256
cd6ffbcc225b9a4bef8a26f5514a21278756a431e5cdf03b5c9f71797b0011b2

SHA512
5cf9be93f3d3c4dfa52cb041a3e02306e4431c75e34227cc7cc8bd7f70871b08402efe3fb7f9e275f76d9cf94d9521ee680660b8560ebacd03d939903cb43f67

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
206KB

MD5
a11a0f01acfde72acb45e2e444e88a7c

SHA1
4b6de915e668757a30c478ca9b2278897c6ab4ca

SHA256
b8feb306bb63b46a2f1c6c39511b39b29cfe95bb316b31792ea3f5c96e4f8a34

SHA512
dfd28535f3dc35ba919cbc36a0eb15faa900e4c80e393318e6d655e5d42afd98fcbc797115bf2b0f324a5aa6e436a2141321ced8e22f9102c034ee4964d21964

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
472KB

MD5
83a9cc33e85231edfbd09f146e1c0b52

SHA1
b84b21a3bae230bdeecad839e22822c7e86692f1

SHA256
cfbcf9b008390adea9b5e86318fe73a6f5cff68c21c3afd0600442ba4cc6b552

SHA512
e180c076e0c3c47f275929c1362f0b33990dfa7de021e7b7a3e2af595f094bd180a49e85331f549e54346c997f4ef2585c53c6666e9ea866c3f84f2cffd6d764

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
408KB

MD5
5e2d9aaea8fb4b66bc21cf4db489a5b7

SHA1
37988b20dee5671a5671a49de32d43a889c1936c

SHA256
926f1bcc8fd50d6272334eadf27289c29983c47ab063383b0174e74795ac6e81

SHA512
e5de385bab4d91351354231f68eb0020054766d4745f11a8a10019417eddeb8f225d41856fd81167bd714c7884b102fed1002f5a27b2c9058c24caf84a6a451f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
461KB

MD5
1223fd8e7969ceea9af4355971c2cbd2

SHA1
4be9b43fc63eb6384f2e83f6432f256abb0c9b04

SHA256
2bdbacabb5f8a69e000d54ad566428322ca9e43403ff2c459b74ada5a0c1043f

SHA512
e2e0880e662732123673234e8308b3316abadac0243b9def40dcc9d6ac1c8b4e5a026137c40e36e871a2af82a13d22295ded04e79765d070c62aebab7addbb2c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
870KB

MD5
e6b2eb6f77d081d6355e58bb3db55bcf

SHA1
638f825cbea06a8368eea98f0d4bc446b7c816c4

SHA256
21330b1ddbdb7c149be3c9efded4a7016997966b6f2a1619c8e5eaf567c4c1d0

SHA512
d64d36c56825f65524c85fb7c6f8c91450c5c4cef663dc2e6e26178d69ec123e425b0a7b615132c5eb5fe692478f676695587187cb4d4e3c8b853384aa940874

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.0MB

MD5
87f16c979393c57af56307d22a2f3959

SHA1
3f97d35eb2925da2b6045e1a715168889ea645aa

SHA256
3cbf23f560c8a2ccc05fb2aff2ae6fe5fb3965e160dfa949c713d3cfe90d5e10

SHA512
7eed33339ae8bf12b6387891e809a4534590ece07018dca4fb37fb5bcc97594d4a7f46642c22c2e4eeea62e324cbb3fcf80795c89b05b9d853f5e9a4bc3e7c40

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.1MB

MD5
4aad321da91f1ab12509069eeeed52d6

SHA1
060c6c8e0e760ce2767a82c1eb12880995ab3ea0

SHA256
68d54494fd10eeefe493e896fbc009427509d6098ae85f850995a1a77e2997c4

SHA512
9edc2217610a7fe5d346255569e608c2a8f76cf77123907fff8c53ff08d581de2e10633bdaddaba19319c18c03a9a83f2d34f7718def26435d3dc582ed2f9d8d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
45KB

MD5
4bda01cec370f099e0a794a8d71b1433

SHA1
730ee5f6a56a174856dcc58aeed8dd72becda89c

SHA256
c36bd96a75d2d50150b0de74f704b0d3e756c73a21480684a74cb2b85765021b

SHA512
f6c1ac0255b4e25e37c37d50a9ecc56cb076ae049071c219ab1b50e7115660b25ad7b367be52537d1d1f8baa9e52e7d158a542d73c9517c095107c3f87bf9473

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
578KB

MD5
b16459af609a7b04d835fed9a875f4ce

SHA1
8f94a3baa3dbd2dc52de92d2ae0df87451e8bbb2

SHA256
bad1d1de259581f07405917d1356fe7b1821d0ceaeccdc5eb926ee0dd10ed3ae

SHA512
24234d0a7c9c840589214646be39550ae831c2ef1cb7e7684290463fdb325361f2fa631d6fc3671603be23230a9e1b35864ad4413b014c1c387c9e7f03d102c0

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f1b892d5107ca14d263179d355fb5ca3

SHA1
dfd6c6e5492558695a7d2a414b90adc78298ca61

SHA256
dd1a94a9c6f4ec83ad0265448f09c93c3cfe04ff9ac629928d69d4681bd16450

SHA512
6d533be6bece584ccfcbbab4815f4925bd6da982630816e4bcc9b5adc86feeb1530cf26b1869e851684e5ce7f46b432ed75c88b5bdad405b19f426b2d1b42631

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
e3484be3384f0b6f12dd1e163d9b9719

SHA1
1489b4aacd32a4a333f50e52ee18220ace2e5dd0

SHA256
7a355b6629cd490ed7ef765c9267c4e06dd3fa5c53aa5be32818cb6fc0849367

SHA512
7802f6737a5003e7ed674c022472f50ed1e4033f75eba99c49b36937f15e98f8b37c2f6439379e183667e5bb7c1927b7b76bd526564e6a0295712ec7a50bd1c9

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
8a7b19e5847e3e211b7661927dcef60d

SHA1
311277910e3740d8424bdbd9a60dbc0f36081a78

SHA256
8dff6e180eadc777d8e039ebc21427b172b48bad7aa3c0c9a9f4c463764fbf01

SHA512
99a90cde6c9b3774bae675e5ff7013f5e481e65dfa446c852f4da40c2d4201e566fa34e7533a3a087de0887af6eef15700450884012919e3c97b549f9cbe6f1f

Download Submit
memory/592-257-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/592-262-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/592-506-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/592-306-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/592-280-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/592-250-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/592-251-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/592-345-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/592-507-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/896-323-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/896-261-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/896-320-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/896-308-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/896-248-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/896-242-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/896-241-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/1052-446-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1052-533-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1052-532-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1052-546-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1052-473-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1052-440-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1052-480-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1052-449-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-349-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1320-448-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1320-347-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1320-450-0x0000000074498000-0x00000000744AD000-memory.dmp

Filesize
84KB

Download
memory/1320-435-0x0000000074498000-0x00000000744AD000-memory.dmp

Filesize
84KB

Download
memory/1320-339-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1396-143-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1396-144-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1396-150-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1396-236-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1488-127-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1488-134-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1488-128-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1488-205-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1596-277-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1596-268-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1596-278-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1680-335-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1680-311-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1680-315-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1680-334-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1824-438-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1824-325-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1824-329-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1856-264-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1904-99-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/1904-98-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1904-104-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/1904-125-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1932-136-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1932-114-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2456-544-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/2456-538-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2596-291-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2596-348-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2596-283-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2632-300-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2632-297-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2632-434-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2632-433-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2852-72-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2852-40-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2852-39-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2852-73-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2852-156-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2900-95-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2900-167-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3024-7-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3024-6-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3024-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3024-235-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3024-0-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3024-142-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download