69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704

Analysis

max time kernel
42s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
Size

1.6MB
MD5

ea4d996b472fabecc83c821342a6f2da
SHA1

3d6f8b3ea30f2da6392843b09c6a4039bda72040
SHA256

69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704
SHA512

fd44c2ad95e661fb4de273cc21a3102a8f1361f7377bd1bf6228476f3e41a3c52159d991cdedd517b139c35c102d2f8539db51b30b45c37230876824d854f40e
SSDEEP

12288:PZak9NyN+gGo3gnqYI2xsuz+dIoMfySCbne++ZgmCWJ3Mi1EesvxuAySjZF:99NyN+F0YfxzccaSL++aGJFayKZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
468	Process not Found
2372	alg.exe
1660	aspnet_state.exe
2872	mscorsvw.exe
2640	mscorsvw.exe
2560	mscorsvw.exe
3020	mscorsvw.exe
2060	dllhost.exe
1616	ehRecvr.exe
2076	ehsched.exe
2296	mscorsvw.exe
2088	mscorsvw.exe
896	mscorsvw.exe
1484	mscorsvw.exe
2288	mscorsvw.exe
2964	mscorsvw.exe
2628	mscorsvw.exe
1344	elevation_service.exe
3048	IEEtwCollector.exe
1912	GROOVE.EXE

Loads dropped DLL 6 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\162839bc3db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4516257F-CB2B-49ED-8DD4-9574CD66F8E6}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4516257F-CB2B-49ED-8DD4-9574CD66F8E6}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2660	69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	3020	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	3020	mscorsvw.exe
Token: SeShutdownPrivilege	3020	mscorsvw.exe
Token: SeShutdownPrivilege	3020	mscorsvw.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2296	2560	mscorsvw.exe	37
PID 2560 wrote to memory of 2296	2560	mscorsvw.exe	37
PID 2560 wrote to memory of 2296	2560	mscorsvw.exe	37
PID 2560 wrote to memory of 2296	2560	mscorsvw.exe	37
PID 2560 wrote to memory of 2088	2560	mscorsvw.exe	38
PID 2560 wrote to memory of 2088	2560	mscorsvw.exe	38
PID 2560 wrote to memory of 2088	2560	mscorsvw.exe	38
PID 2560 wrote to memory of 2088	2560	mscorsvw.exe	38
PID 2560 wrote to memory of 896	2560	mscorsvw.exe	41
PID 2560 wrote to memory of 896	2560	mscorsvw.exe	41
PID 2560 wrote to memory of 896	2560	mscorsvw.exe	41
PID 2560 wrote to memory of 896	2560	mscorsvw.exe	41
PID 2560 wrote to memory of 1484	2560	mscorsvw.exe	42
PID 2560 wrote to memory of 1484	2560	mscorsvw.exe	42
PID 2560 wrote to memory of 1484	2560	mscorsvw.exe	42
PID 2560 wrote to memory of 1484	2560	mscorsvw.exe	42
PID 2560 wrote to memory of 2288	2560	mscorsvw.exe	43
PID 2560 wrote to memory of 2288	2560	mscorsvw.exe	43
PID 2560 wrote to memory of 2288	2560	mscorsvw.exe	43
PID 2560 wrote to memory of 2288	2560	mscorsvw.exe	43
PID 2560 wrote to memory of 2964	2560	mscorsvw.exe	44
PID 2560 wrote to memory of 2964	2560	mscorsvw.exe	44
PID 2560 wrote to memory of 2964	2560	mscorsvw.exe	44
PID 2560 wrote to memory of 2964	2560	mscorsvw.exe	44
PID 2560 wrote to memory of 2628	2560	mscorsvw.exe	45
PID 2560 wrote to memory of 2628	2560	mscorsvw.exe	45
PID 2560 wrote to memory of 2628	2560	mscorsvw.exe	45
PID 2560 wrote to memory of 2628	2560	mscorsvw.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe
"C:\Users\Admin\AppData\Local\Temp\69cf1f011c501ebd306ff4803641dfeb7504139081d8c6d3532749ad8590e704.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 254 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 1f0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 288 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 288 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 264 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 208 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2060

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1616

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:1640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2200

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2440

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:344

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:2444

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2328

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1068

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
8401c160ca224834e21e80bcc94dea96

SHA1
fb87e0ac7c68caef735c5ba9928b40d2cc89f91b

SHA256
3311091a8a188b174637427b3a0e9b30cae0e1b93c8b9599de7e58ec4ab7ae9c

SHA512
c21fd8d71d8b7f4b5d5cd13891f2f4651dea971e1bf69bd31aadf55a30753f904b1b310e4f4c73b0895558d881374f19de947ec7edd961bdc6fefd7f9be415ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
320KB

MD5
792a32e90c705f133f7fde4419a9bc83

SHA1
ed5576bad1e612f902f2af7f2bad7b3b4fea80b2

SHA256
bd29bf9ed528b4f8f3f00081edf297db5b5ed16b5d63ef6992ad60100da7c1c7

SHA512
b03a6fce79ec85cf1aca403db8134305cef38a8be3c5fcba8f689959112125792049500f522fdd9bb5249559277f5cfd946d09c67a0f849a605549bbab027ab2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
63f2bf28d133e554b181492feb0e9536

SHA1
d07309ecaff3eb3a3755f6cc8a81818904cb34cc

SHA256
755c45d94d4f6c595e7f871110d2ba9b042a9add03c509c2a35d9f409f236a32

SHA512
28202cbd60e3a05db49dd5145113bcbb9241f351a087b57d42a955d13014931b89386e75d5a03e98c7bb780f885a295919149817e4452f4020831542defc25e2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.3MB

MD5
d676d75bda9fb8cd785cfccace5ee91e

SHA1
5adab35b7b5ff625c2bf69f186a2404422c3227e

SHA256
183e64c193217f7731e7c164d6f23e1a8af8018116ef0558cc889a617288c71e

SHA512
031827affd2c3b34ffe44b8c9ff48fcf2331aa54321e6c3e7c87a9b5f94247a9e00610a1435252dd3a1fa632c8d7962d1a3047f672e264a3f60fb2639822635d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.8MB

MD5
4fae07d7e14502bff9cd43a66774d694

SHA1
ad2e658efcfd44bd7132c177a76efa28c8664aeb

SHA256
99ec437989c9943bedcf43ff4510ad186a5b30fbf1cd65807ac8f68cb6cb77eb

SHA512
f2956b34119788b14d77c8db157fe11410d270393000afb10a9607360195bb9194a5c2efd7d3febdf8c2b49b8072828602a6db8e5b10c332848f5a1548c73fe4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
448KB

MD5
ebcc22dcd750ce654d1ad5c9a4f5da81

SHA1
288d76879301c08ebaac89410f858c87603882f6

SHA256
2db5592af17264b26619185ce20e9279f0d5acaff81e5de4283308eefc20406a

SHA512
9f3f2d5abfb90f828a2c85c9847bd90a907174f8b7b22b8ab8fe0e9174f52658b7d9658cdd51d5d11eb1461cf390dd513a9e39b69bfb3385b6a20e4a591c1959

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
5476a08e52e9d56031a6d19bc6c5117d

SHA1
cfdaf3f46faf552fc53a2524001a81dfc3951420

SHA256
de1f6f066f3ea88be6cdc446729df06337579dd605f013a2eb751a48b10e76a8

SHA512
76ad5cbb9405e3b4f79a88b8f5807871d46a05c825956aa70c98e0c146053cabc5eee55003d434565f3dfa0dc25a3740bddf7ccb074459cfb1a8a42651df3749

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
234e3b51c354918d468fc505e57e021b

SHA1
04d16ff3b01b630527a8fc4f78bdf257d5d2cc08

SHA256
e42f456845ae85ad2f11580bc04d98347e2edaaf8c1fa278939889e041d1a00f

SHA512
6c3c1b3e650bc1332df3d219924ba49e8d04de5f45c6a1f29bf9ab1bba55aed9a2bc8136814a1890cb51f9659ab1a29ac6378829a695ea0acd640014fafc097f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
662aa85cfb04d233cac91bede6a855e3

SHA1
5003739cc95c26a97333c2b1d3892dd83de9c051

SHA256
0e77aba767543e2249e714e429009a94a54d71dfe24fbdb50a99a8b97c56ee75

SHA512
fdde6cacef599031d09c5cac1ba88a802f05354d141e386b83ec4aaf0d7a846058ccdba31583250d9dd50aee474ba45d817174e421492120ef3db38fa554d9f6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
4fe88fd6e9c8637718bdd69abda29799

SHA1
e329e8d4d16e961c04d411a70e1ed314b03bb2fe

SHA256
e099eb0786e2fd5dd3f480688baaa1c3216ceeb8dae9649d0904917b329c1c5d

SHA512
0cf84961c79f53acbb590a16ee3d8e0ab3bdacd74b1ca7685496a6b30902f3a6ac12c83ce7c91156bdfde77bff03c24ff255f6e7a4ff9d1edf85c8f54280b39b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
09a66a6e877517516a9590ce3e4c464b

SHA1
55298f46e154d72f8d63c5dc9eca97e9ce324fa4

SHA256
f4ab02089733acf841e3325f968a7afa5005fb4118a338d78283017549a67186

SHA512
a81c7bcf064be95a1acb7b461e1e6d557901f9a099c5c3329b1224ef50a8c28eb02bee9cf44d08c2e1ac68d4b96132df4cdc1e17c6dc18a26a51871545e6d1d0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
7c2a4f9da18463f6c861546bce697b1d

SHA1
141fde3b1f00f7d12a440fbbf0561ef68bb09cce

SHA256
265aa9d3731eaaa41ba7bf7c5b2eb0597572affd554f790d5b8bb6e450dc8c11

SHA512
940083353409df5d4bb75ac060e254206cda10185863b2426ce3c2f0d2fedc8adcc5ef36d2963fc9f7726ec46128424a126b4067bf4c046eba718710347395f7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
94647b9ae045a19f87d2a18aaced58d2

SHA1
880ba14e958174a4b027d3d99ff7e2de1e0c1aa6

SHA256
4ad5467dceb8512980ebf1c48245c4d4b15764eaa2350149a4cbb98cb3004f9c

SHA512
f0fcc8225ffc05af14a20bd3475d1c551a09681ae2fb4a6f0c158e697b8c983fc8aeb7722efba9806b5d77f31105cb72c7ca5c46b85e713141a8fc96167f3a5b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
541bf21748b4b420edc16f3404ea2d79

SHA1
f2012cadd1b9d5704180e843a97b1495b844fc42

SHA256
3f493e2021d6d8d80567a4e6c051c06c0cc20015224dd65e30af3ed3e27e2731

SHA512
dafae5fcb42b7f9f4662b36e55d25f1290a9d6e9beaed9ca4de3aaccfd8eca8acc970d77fdccd4f6d5f40a252d14428fe205be4d6eb857cc84b963d65b8fdddc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
768KB

MD5
589026806fc4b325ee0139c9b8e2ffb2

SHA1
1c9c066520725ada97503cefd0b00f86b94a27e1

SHA256
8ff156b33e363c0750c786ae17f7aa68d9c508ee51ba671e053132b69dd2ebe2

SHA512
24c3491242020d7f49839fd335873c00bc4849404f4ba950fa5b68d92429b1c7d22c043adf6692270e515aea1b5b6876e76d5c09abb752369c4b4bd791a4d374

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
135392854238c16960a8284975d9b85b

SHA1
a1b8439b098e2a8c64e43fce817f5ee83f9b8380

SHA256
af5b57471dc0b50dac4d8ce35318bb29cae084bd882e2847aced1ddb024115b1

SHA512
528c4c22a7c58d00c29f3f9c2f2d36317e66902cb8c55f782fe2590f846a3670e9c300b7718a83eb0c9dd54f1b7006fb60e278de3548a3bc1ebb66ffe07b045e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
802KB

MD5
118eb98f6e26667a21eca1e322d16d19

SHA1
9fa056d764e98503e2c613b683ad5aeec1ece3d1

SHA256
a5257985847f7958ec481dbb6e69e474ba78630395665db8f002d49017765bdf

SHA512
e90362dfe3fd34c4a29642f1c96c8a74e53688db2b42279c8d15ac6abec234e10e36240d373bef743ff6135bceafc1890ce9506a949ddecbfb4866c4d5241ab3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
128KB

MD5
a1f70d30a612e21e61139a620d07f724

SHA1
72642b8f86d75a2f5b50169069924cccb3267bc8

SHA256
96c08d1c38461734ff5b1f4c3b268beb1a6a8f61951e9a7944a71fcab5222cc5

SHA512
8239b2285828843cc0daf343dd131642ed11c3f1393f4e2ca462c43d8bfef099e0c74f88a9cc3da35dff220627257b65dbc9dc2ffb1a7b4fc33f509576119484

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
4503afdf4f67c396ce10589b5e74a8d0

SHA1
1eaa6a8111838dfd3ea7e45f4bf283ef208dbabd

SHA256
25957cbf70d381d0a81ca13f24b448a44f3361141491e9446523028699957787

SHA512
d9628e9624149bb3542baeb5018428f984eacc88c14648c845dd9bbf2cb39656b2ca1af34b4c4f5f83f079082e88fd97a102e39fe4076c6fc8fd11a9bc7ef655

Download Submit
C:\Windows\System32\vds.exe

Filesize
512KB

MD5
23f3d589806ec62b19d664243a7bbfa5

SHA1
882b98bd41c0f13907bf5c964f9cb3fbefcce62f

SHA256
89a1b50804a28d7a8c4f6f91d6ae2334f61e44b1ece361f37271504b49bcff32

SHA512
6020ac9dcef3bbb4cff2cebb4cc1162687914e9ac028617e8c3ccf3eb61844802b00fe0c5ea10eedaef2c985035d4188173ae81f4ba51701773bed09f0db9f73

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1024KB

MD5
d409674d1267816bd0546ebb6bc0775c

SHA1
cf99d8f7f6258c8d3abf42fad0ad06cdf45947dd

SHA256
42148713aa341ddf037282df63aea20d848e49a73786637cd8503af7ba6cb43b

SHA512
81bdea42f7da0c019997bb4b53a912b72760140c67e63adabb42423c60f49c11c825f42f4476b89407ca412474cc48128aa5830ee02b82815a2600d6ce69c963

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
512KB

MD5
8a64a91cf4604190e11ffa5eed742fba

SHA1
f6e4ebf6828840da95b5c8f7f4dff49c3d6e9521

SHA256
06778b868c0508bb1522a10b8761a14d6007cc9c0048f733aea3f64ebabdbe01

SHA512
c9be126e5d4efaafa422f53572a64d8cd38ee3655f3131eb3f58f58fe504c70c25e613ab68b5b2a24f59c6a575ac2029b414e99a39536ef17f0f1320cd09e19d

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
e39b30cef9ddfcaeec7edf84d1311b1a

SHA1
1617f29e687972f1295c226facb42ad9ce312fd1

SHA256
28466d18d6b31f387487b323da1054437fe8a6a419fe4a35f915b5cf15f9b436

SHA512
86dce62b15ced4613517b35fe2a4a1b94e8c07e8b81c4b0ebb236b4c072e5d0ab14faa1f88ed0528c19ca0b954f2d4b312cd144e09015123be18ec2b97d8076d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
3fddfcb312ac133460319ec12a283f02

SHA1
bbb283080cc7a6fb3db7758b138a5a5af0a1b648

SHA256
8dc56558180e7fe3f118175e8fd2a5756edb899b2e2f8c29ef3517a0779884a8

SHA512
523bf011eaca164da4e6c5ddc87105cca72f9dd6e4d014479f3e68902893a6810b3644272c66510f154c80fa7510763af150b2e1cd54f4e8fcdd83dfddfb417f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
7244450b90ad75fd534c9f6a051a5826

SHA1
78f9b4fa20cd06d02856e4e8f3e0bbe04ec10133

SHA256
ece8465b2c6e51ed20234ad0f7b60251180f98a0ddf5d0694b5236331ac9f449

SHA512
3b2a6d4793d304bab42a4ad1053139abd2019f2a074352943ff652be32ff38ca6d6c36760a6443f47657b910d6fd2dc338451b9bc350fd82619ae4dfe83fe5c4

Download Submit
\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
3587fbf140669ff1b1437b8bb9883c51

SHA1
43f460d823dbca7086329962b507b637cba14c00

SHA256
6606f2c603ba0324784930693eb34c63f30c033021a6af3593986a791ef3a472

SHA512
fd515e278af33a9a5855339b00ad09ca1d4331e3380ebe3e6f6951ef5ac3d769df7bdfa2f4fb50436290f3aa6f4e7da99f8ef1b0fab767c20e53a832b53938c2

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
3864b01a373c0957045e8a4d3f17b16e

SHA1
a21367a1b1174cdfc6490f45237208b886567e48

SHA256
3001217227fd5c298c0e956e06c17da8c8c13f39c67c4fdc57b876b71881ea6d

SHA512
013b9f63508a350f49ffd703e637e8467178fc7851531ce8da9bcbd419708f2ca43c2b68dec276ae5421656c929b22a7f038919e5ff4bf5fc4fc76cad46b825e

Download Submit
\Windows\System32\dllhost.exe

Filesize
704KB

MD5
05fff14ad4012dbd0f407d3a67f02479

SHA1
e5dd91fc53ffb9e87c7003db286b327a17448b37

SHA256
6a36e3eaea2e82c6c0724ab28a43cbc9e2ddfaef4fc62a9bf897288df7031810

SHA512
8a9656578020cc0f0e21829d4fb7ad2bd16a23fef82100aed07dc581699f40a88d8229c166ab2c969fd0f8d38a1cf47777affcf32ece4b2b244b069ad23d54bc

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
2b614a5bd43b94f29fccf280c7148e1e

SHA1
9f20338237cc0dd9c5bfae272d070d1aa5cad264

SHA256
7bb75d0535152bd052f91f625cc8bf4af27232ca3dc57055beb917b03605efa5

SHA512
4a86e959e328abeb295045feeb8b2ee10d5af159fefa21a868192bd6f636080398d10739f141a6435f8e31269a337d5f7ae83dac5439f6f257b6fcbb3a01a3a8

Download Submit
\Windows\System32\msdtc.exe

Filesize
192KB

MD5
0796085491415837ead6e759e8fa7e2e

SHA1
75c82a92182014130cf32255e6774cd446f14dfe

SHA256
1918c136775352fd31acfdfdb4258d6bd2cbd07fcfa724f199103432b03f3531

SHA512
35ce68248cf23f7d583adcb8b30026376a398774ec5a7a2f0668f1343ad1f6ee26c1c9c5661e1f9f7a563dfb881ea84e06a5f8a6fb00a81ee12d730cf5170682

Download Submit
\Windows\System32\msiexec.exe

Filesize
896KB

MD5
5c0df70aea85f01aa5ebd6bf996a3b70

SHA1
f3e175070c08d618151a8cbc814ed02e849b4cac

SHA256
f5aae8f55ad3817063216abbbe754765516387e2dcb48ab2a88ec7637da21145

SHA512
34d7d584d07515c6e89199b51f2db956996d2917ff6ab618f5f9a393a750492e8a15830b0bd1edb34263cf51c27a1398d0628c70ebfa52cfd0dc798a5b3d7104

Download Submit
\Windows\System32\msiexec.exe

Filesize
960KB

MD5
9db2e4c82f4db3c93611e5f202ae6596

SHA1
1e51a4c910a55da760e050ffbc59c5df829a4301

SHA256
657b48ee1984e41083f5dfff6fa8af5f837a7ec63c48f5e55936de1f0c5880ab

SHA512
cc8b569786b1711082574785647f006a27cd76133201e1f1f6f25e617034ee60f88be9bd9090ca2676a45673c6ffd3fdc13378dc89ddcaf16cdcef0c9099fe0a

Download Submit
\Windows\System32\snmptrap.exe

Filesize
640KB

MD5
64e87963d969f22995d95779d61be85f

SHA1
151dcda3bcc01b39ad85c50d1f6ab3e44204aa3e

SHA256
71b6e4257a7e4d0a79d60099b1f01e214c13b26addc762bdad41bb59091ca68c

SHA512
7904eb970eac9726827a4803117688ca962a72956d003993dafbaf6db6efcdcc783a4ab6bada6066069aa5e08094ded6f5a0f796af31af8dca971d698e30e498

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
576KB

MD5
7b7d5b6b5d725a0d7565591a225f45a5

SHA1
0cad22f24aba279604d1713dce30843639847a41

SHA256
65a56f9f238d41a7804063ab14acb404a4a9acacf1364878f9e46c7d54ace036

SHA512
047f6fc0850c4443597dba46cb66ae3c98885f9ad5c258e1975740b29dcf456d625ac2da0da85319b6ff5805f2d72b9024778313399fd3640c18486c724d253a

Download Submit
\Windows\System32\wbengine.exe

Filesize
1.1MB

MD5
bdde4fb477feabd7fffd0eab86865cd4

SHA1
d398613e225ccc84cd3566693eea20ef64df9c78

SHA256
952d02c4aa8db6d2daa4c6e5529e4b1bc1350d2efadedcd47bc8d4db65a9571f

SHA512
4df54ef44fb85f469d5d6482f1efdcf02fcb0139ea74a64e23aa81349c4096f3a6bce8a1e0c5caee76d13317410b607b79ec4c191646de5efbfa25ea09d0b027

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6e3a2941293492a95795d743ccac49ef

SHA1
f2e1196fc4bb6e1cc04747a149056381ed622d44

SHA256
99016717455759057e31fa6b20c218304c8d657ce122e19a67b6bb348a6fed73

SHA512
bd5fe98b2ae0aa29a03003781c383cc0f9de22ae07e40043f6291aa2c945c509a0d75a579f9ec4add3d72fcbf317b6cde8613c6a20fd11d00f7c80b13c9f8632

Download Submit
\Windows\ehome\ehsched.exe

Filesize
640KB

MD5
3149799e5494f122dc047988d983c493

SHA1
5eadc571a91226a9987df162cc0a3e143274d394

SHA256
50f2f586357f9d042d4ddd6356f2d98b93e4af9eaf1114a2fb6a6598c2b6e941

SHA512
e587572ab39577716346d4325520d98eca848c2690169bdb50fe59edfa94d9beb026132d1a3e2595a9370fc3d2a05dff4d03ef1a77ffaeb2c61cf8f744e8dc2a

Download Submit
memory/896-158-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/896-179-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/896-178-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/896-165-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/896-150-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1344-234-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1344-227-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1484-194-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1484-193-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/1484-180-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/1484-176-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1616-147-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1616-168-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1616-106-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1616-99-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1616-113-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1616-116-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1616-100-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1616-118-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1660-28-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1660-108-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1912-259-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1912-263-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/2060-87-0x0000000100000000-0x0000000100128000-memory.dmp

Filesize
1.2MB

Download
memory/2060-86-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2060-93-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2060-136-0x0000000100000000-0x0000000100128000-memory.dmp

Filesize
1.2MB

Download
memory/2076-156-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2076-112-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2088-164-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/2088-163-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2088-137-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/2088-148-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-142-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/2088-162-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-208-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2288-183-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2288-195-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-207-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-190-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2288-209-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2296-145-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-144-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2296-124-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2296-130-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2296-132-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-123-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2372-94-0x0000000100000000-0x0000000100137000-memory.dmp

Filesize
1.2MB

Download
memory/2372-22-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2372-14-0x0000000100000000-0x0000000100137000-memory.dmp

Filesize
1.2MB

Download
memory/2372-21-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2372-15-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2560-122-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2560-61-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2560-62-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/2560-68-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/2628-219-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/2628-222-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-47-0x0000000010000000-0x000000001013A000-memory.dmp

Filesize
1.2MB

Download
memory/2640-70-0x0000000010000000-0x000000001013A000-memory.dmp

Filesize
1.2MB

Download
memory/2660-0-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2660-76-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2660-1-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2660-7-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2660-8-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2848-273-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2848-266-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2872-59-0x0000000010000000-0x0000000010132000-memory.dmp

Filesize
1.2MB

Download
memory/2872-38-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2872-32-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2872-31-0x0000000010000000-0x0000000010132000-memory.dmp

Filesize
1.2MB

Download
memory/2964-272-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-210-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-204-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2964-252-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3020-77-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3048-240-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3048-247-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download