707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885

Analysis

max time kernel
1s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 04:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
Size

1.8MB
MD5

baacedb2cb0655a926b84fe8895dfcc9
SHA1

d6ed142a5828b397848ca9fb8b2b7c7e64ac87ea
SHA256

707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885
SHA512

bf1087bc3072353e5bdec5b6c90500528460fee25184d9f2a500ac8224d7988ffb6aa6711f6a11ae38c83c18ef406ee0296e69385564cd10a3137984c122db21
SSDEEP

49152:JKJ0WR7AFPyyiSruXKpk3WFDL9zxnSLzkTtuJ:JKlBAFPydSS6W6X9ln8kxuJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
476	Process not Found
2844	alg.exe
2748	aspnet_state.exe
2904	mscorsvw.exe
952	mscorsvw.exe
2040	mscorsvw.exe
1276	mscorsvw.exe
320	ehRecvr.exe

Loads dropped DLL 3 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\db4fd3b856fe8faa.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_it.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_sr.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_bg.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ca.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_fa.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_id.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\GoogleUpdateSetup.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_hu.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_pt-PT.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_th.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_zh-CN.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\GoogleCrashHandler.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ja.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_lv.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ru.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_vi.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdate.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ar.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_hr.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ms.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_sl.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_sw.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ta.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\GoogleUpdate.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\psuser_64.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_de.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_kn.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\GoogleUpdateComRegisterShell64.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\psuser.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ko.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_is.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_lt.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_no.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_es-419.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_nl.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_sv.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\GoogleUpdateOnDemand.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_cs.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_da.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_pt-BR.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_en-GB.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_gu.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ml.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_uk.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_bn.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_el.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_sk.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\GoogleUpdateBroker.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_fr.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_pl.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ro.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\GoogleCrashHandler64.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\GoogleUpdateCore.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_en.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_es.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_hi.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_iw.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_mr.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_te.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_am.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_et.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_fi.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_fil.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1803.tmp\goopdateres_ur.dll	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1576	707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
Token: SeShutdownPrivilege	2040	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe
"C:\Users\Admin\AppData\Local\Temp\707f84baae1ad9206f06929918b1c7fb784d134458dfed7696219b45dc783885.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 158 -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1e0 -NGENProcess 1dc -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  PID:1712

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:960

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:1580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2532

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:2256

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 260 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 1e8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 270 -NGENProcess 1e0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 248 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 274 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 288 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 248 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 274 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 278 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 184 -NGENProcess 1ac -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b8 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 28c -NGENProcess 240 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:1900

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2420

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2516

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:1016

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
320KB

MD5
9396eb5a922d1bc2995e4bec56215a9f

SHA1
49587ca032adb7daeb54db22633246929e30acf9

SHA256
2de94bdac31bf618a6ab279cf90da276fdc07e547acfedaa3a6e5cba2efb7954

SHA512
0d3285d473962972702a3d383a74433e24aafcf15ffd54cf10904a6589ea6b6543133df1a478bb665c43a1b1e22a9fb61ffdf417ea80ee05faedb47f4931cca9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
175KB

MD5
0ff98ad61a2caf34a386cfb4b4ad9342

SHA1
39b6a7286295935ab94649ef33efd0cad5fcd83d

SHA256
769e666c8590562a9cf628d8cd7897cd11e37833f8fb30c4bc40abd2c6e8776f

SHA512
4275dd15d9de5d9250cbba1c62f7b57622329d8d52063dd396f1aa4a5ab9c42fedad040e21c0b45dc2bd584ed76df05ea2b2bdba72824ce1dd823d1ea7a65b20

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
167KB

MD5
a68ecbe8096def31400d573387a2144e

SHA1
05eea554e702933a168cabf8245e50d6aceac21b

SHA256
7f95c967165639f230863602f25bd2e68582fcc26fb3cef3d62ac8bffd586660

SHA512
440d87e9a8107857abc1d3c7486fc0dec96cc5694ba4d58934289755c2d4a51358a06d8111ee5e226647ff60c4177ab5f1f86fef82f820dbec45b65ffd74077c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
385KB

MD5
d84b13efdc776fc58015cfb3077ebb82

SHA1
cca8a9c24db205a3e7ebfd35736267070097492d

SHA256
7cd908ad5f12211202dafcc38767f9e2419ff6f1ec8b58b8fcdff83169d62bf5

SHA512
c79436612231846b131817b92f057bdacc52f84212658129f709701c64d8264e5e691fc95569e51270ef744cf47ae18183c6489b11232214f9ff0ae8e88f808b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
4c1236a03a342a8c600859bc5ca883c6

SHA1
b5a439cf090d7f95ce8652a289cbeb14d9281cb6

SHA256
5cc6ad7fa1fea3479ad7a247516ba1d94d0792a4195f2ca6189c6c90940c34ea

SHA512
15cb016a4b85b511f022fcf6571672ff78f9610f290c7d4feeff4082749517950d6fbcf46d6feea2e0b7fc7966f112618b990d0f2107cbe0aaee09e7e9c82775

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
485KB

MD5
2b4f8f0d84a7c53ec92f46c424fa3014

SHA1
8b818f938d4b1dcc764590358fffab4e036e8573

SHA256
1fd2eb4be7e1909f096abe29ee2f78f32326b48f098be845d0478fa944a0e42f

SHA512
9b9aa76cf908d9ffc2249f8ddbb008db6ae72a17b391c00742e19687eb7bb5a741279a88efe4438851581a6e7fd72051b58571f00e586fa4bd4c31ba6533b9a1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
646KB

MD5
44ec29a260370956eb9becc66efc9685

SHA1
13ad5cf323b77ac6ea4d21845ca3e51c4334fc2f

SHA256
1f2252eea09e74dd6607bfd14ee3fe12af956776311f6eb5447692daeccd23b1

SHA512
8304ef51a20b4829c4d458636a59db927b28a6eaeb6661d2c71314e42e1250809ce016201aa50cf6c210efc7737a4182f52c92595946c3a8e2c3f13a17c7c375

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
243KB

MD5
efb4bb306be2466caaab3184cc85958b

SHA1
e1f589998f87ac1cb890f108d77a6b6cb4905376

SHA256
a05a22b95012d9a3f4eae5f3c6f92d66a9aa63a7501bf338ea7cc1bb9543373c

SHA512
50bf4b216ee990a805c13bbd437d4ae7bf5c811e32e34e89253d06b766ecd03a93f193f220e74df83f2a976f9031dcaf51f885967c0a6fe69aacec6c15f7b94f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
252KB

MD5
5a220926098c3d139294d3f6783a2ebd

SHA1
ae616ab49127d474253ee5d1666251e7bf458aae

SHA256
67be2692cf0d5b1eb977f3bc972cde0757c3cea363c31f3814eb5ca2e014d692

SHA512
7dbe09d9348dede01f0cfb05bfd3c48fb53051e44fb8b6abc8dfc10f57b14ea1e1c8646ca18bf19f7b39896caf4ca16a31b0bf6657ed0c151e8ce9d44104f8e2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
218KB

MD5
56764bd26ad67be51285c0c8766f1bf7

SHA1
1e5fa8a42f80111d1edd283572d324b425de0e2e

SHA256
8f7f2fa9ec238878f401b7dd3c87b307cf7d39d5bfa50222982a765d51d33001

SHA512
cbee174bcf4e944cab0bd6cb49070edeccd362eb9359cc469ada2823cbb567c7037a280d957d0f469f25adcd7b1096fc5eefcb68e9ea5ad5a2d2c62396e1456d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
21KB

MD5
19bfa87584da56223d1191d9a78a6392

SHA1
e371f811ce732b8869199784acb0fada2d4f3ef1

SHA256
eb3ad117b2501f9063c29c04135c0f39686844055259521cc729ff290b1d7db1

SHA512
c5169cd0317f650023d95b75a6c488c5a88c2a998337b887444318bb4bfe9b436d94dcbfa54fac87478d2bfc1b5f2689fac7ca314c6a08d1e675bec1eb228830

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
262KB

MD5
26ee32d02b56e290eab7df6870ca296a

SHA1
c5230e60eb0ea31832de7a0a270cde5931b8cd77

SHA256
3ad5adada592e215be108d466aeb83d0f783af5ee9dfce085e275c16aefb6996

SHA512
147e1961f399a31c9c93cc3dabb9bdcc950711f9fee5dc288cf5bf36d94dae0082b423a91723dc2823d9b22fbb5c1ebea71253e3249c22e5215ef2c7b1b7a7f1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
256KB

MD5
4729a2f0a2d3dd86114d53373c534a98

SHA1
a6bf19009aec081c1b6d453ff3e6b5668019d12c

SHA256
415ba0edf975b52048742a3c925a10e3aabb53ea10a175011e3a997a3b517ac6

SHA512
3091bbd583c53029d27119ec9abdcd3186096499a4cc3cb7fc7d25b3e0fec9c1c8b4ea7df9c7997d488f9eb58fdb999bfcf4aad66815708a5d10f5bf4d252bab

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
384KB

MD5
e383b56767026ba01514c0bb8de4188b

SHA1
54489355cc46b03106022ad20c5833adf5374988

SHA256
b27ca764ed67f4861b1f1644c5fee75adbf1854030c6350b91ba8ce055fe79a8

SHA512
f07be20b8f32001f7a7947f057a4aeefae59aad8e45a063a5821385fd184b13ce4256290c8bfdfd74b3dbfb00fc7eaaf1826c903fd7d716610f9ca22d7c11eff

Download Submit
\Windows\System32\alg.exe

Filesize
1.1MB

MD5
0d1ab5f7ab4748ce90beea339034bee3

SHA1
905bdb95834ef81c3bb986415b4406d8e9d89b76

SHA256
f476e445d14211a68eb79702d487f86fba33c6ed40e5866a3be9136a05e59969

SHA512
c9955855b7ffc995b3d92337c1d41a722a14c32b995ef311cf1a29fa519786491fe83b949291910e4d315524b6ce97bf718e8050d671a0e6af9e028367a58180

Download Submit
\Windows\System32\dllhost.exe

Filesize
168KB

MD5
d2e7fdaf24213ff57225778e96183843

SHA1
557e62abdb34d07ab224cfdde6c1c19a1b9763cc

SHA256
9d49a8000d75b8827e8ae60b722fbd56cd6b3bf4dc6ef51b9fdbe20fbe6bf452

SHA512
6cb60e345834eebb6599b4f8584620fbaa8c9836c1b1afa69df30ad01ec6269ea1935e6f27d804488539d12e6e81ca4b44eca43d8a59c6a1e4216247fa30a78d

Download Submit
memory/320-149-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/320-141-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/320-277-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/320-146-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/320-157-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/320-150-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/320-138-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/952-103-0x0000000010000000-0x0000000010246000-memory.dmp

Filesize
2.3MB

Download
memory/1276-133-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/1576-139-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1576-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1576-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1576-273-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1576-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1580-175-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1580-176-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/1580-305-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1580-312-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1580-326-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/1580-303-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/1580-182-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1580-174-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/1580-178-0x0000000001010000-0x0000000001090000-memory.dmp

Filesize
512KB

Download
memory/1816-382-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1816-362-0x0000000000C50000-0x0000000000CB7000-memory.dmp

Filesize
412KB

Download
memory/1816-381-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1816-366-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-197-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1892-275-0x0000000000C20000-0x0000000000C87000-memory.dmp

Filesize
412KB

Download
memory/1892-194-0x0000000000C20000-0x0000000000C87000-memory.dmp

Filesize
412KB

Download
memory/1892-274-0x0000000000C20000-0x0000000000C87000-memory.dmp

Filesize
412KB

Download
memory/1892-290-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1892-278-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-291-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1900-318-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1900-348-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1900-345-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1900-325-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2040-111-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/2040-112-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2040-117-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/2040-181-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2232-386-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-377-0x0000000000CA0000-0x0000000000D07000-memory.dmp

Filesize
412KB

Download
memory/2232-396-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2232-395-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-156-0x0000000140000000-0x0000000140251000-memory.dmp

Filesize
2.3MB

Download
memory/2256-153-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/2256-284-0x0000000140000000-0x0000000140251000-memory.dmp

Filesize
2.3MB

Download
memory/2256-162-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/2296-402-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2296-390-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/2456-293-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2456-306-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2456-309-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2456-324-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2456-323-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-354-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-351-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2516-367-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2516-368-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-369-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2532-167-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2532-172-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2532-297-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2732-338-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2732-353-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2732-335-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2732-346-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2748-93-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2748-170-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2820-288-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2820-281-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2820-295-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-307-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-308-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2844-154-0x0000000100000000-0x0000000100243000-memory.dmp

Filesize
2.3MB

Download
memory/2844-17-0x0000000100000000-0x0000000100243000-memory.dmp

Filesize
2.3MB

Download
memory/2844-71-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2844-12-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2904-128-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download
memory/2904-96-0x0000000010000000-0x000000001023E000-memory.dmp

Filesize
2.2MB

Download