1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
Size

1.8MB
MD5

9c016675e13000ac5acb8e6b0b0d6acd
SHA1

8bca75e235a85824f5fa293b798d8e435901a01d
SHA256

1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16
SHA512

8cf87ce907ffbe090122ec7b6f73d7b5b8fccedb6ceb222f080c064c957f6562204306775ea5269370dfd0decf8e09c1cc0dcade641e8b13e77f8a5fd77adac7
SSDEEP

49152:Mx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+Cks7R9L58UqFJjskU:MvbjVkjjCAzJLC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
468	Process not Found
2780	alg.exe
1944	aspnet_state.exe
528	mscorsvw.exe
2864	mscorsvw.exe
1612	mscorsvw.exe
760	mscorsvw.exe
1396	ehRecvr.exe
1416	ehsched.exe
2928	mscorsvw.exe
2680	mscorsvw.exe
2624	mscorsvw.exe
2212	mscorsvw.exe
756	mscorsvw.exe
1748	mscorsvw.exe
856	mscorsvw.exe
1096	mscorsvw.exe
1972	mscorsvw.exe
2220	mscorsvw.exe
2888	mscorsvw.exe
1060	mscorsvw.exe
1300	mscorsvw.exe
1756	dllhost.exe
2304	elevation_service.exe
1384	mscorsvw.exe
1608	GROOVE.EXE
2248	mscorsvw.exe
2320	maintenanceservice.exe
2824	OSE.EXE
2772	OSPPSVC.EXE
2848	mscorsvw.exe
2796	mscorsvw.exe
2176	mscorsvw.exe
1928	mscorsvw.exe
2052	mscorsvw.exe
1564	mscorsvw.exe
2644	mscorsvw.exe
1972	mscorsvw.exe
2680	mscorsvw.exe
2604	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\270e7eeec0d5d3a4.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_no.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_ml.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_hu.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_da.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_sk.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\psuser_64.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_lv.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_ca.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\GoogleUpdateOnDemand.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_tr.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_et.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdate.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\GoogleUpdateBroker.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_ar.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_cs.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_sl.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_sw.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\goopdateres_te.dll	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4846.tmp\GoogleCrashHandler.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9A6A394C-799C-4344-A7AD-1668764593FC}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9A6A394C-799C-4344-A7AD-1668764593FC}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2992	ehRec.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1992	1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
Token: SeShutdownPrivilege	1612	mscorsvw.exe
Token: SeShutdownPrivilege	760	mscorsvw.exe
Token: 33	2440	EhTray.exe
Token: SeIncBasePriorityPrivilege	2440	EhTray.exe
Token: SeShutdownPrivilege	1612	mscorsvw.exe
Token: SeShutdownPrivilege	760	mscorsvw.exe
Token: SeDebugPrivilege	2992	ehRec.exe
Token: SeShutdownPrivilege	1612	mscorsvw.exe
Token: SeShutdownPrivilege	1612	mscorsvw.exe
Token: SeShutdownPrivilege	760	mscorsvw.exe
Token: SeShutdownPrivilege	760	mscorsvw.exe
Token: 33	2440	EhTray.exe
Token: SeIncBasePriorityPrivilege	2440	EhTray.exe
Token: SeDebugPrivilege	2780	alg.exe
Token: SeShutdownPrivilege	1612	mscorsvw.exe
Token: SeShutdownPrivilege	760	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2440	EhTray.exe
2440	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2440	EhTray.exe
2440	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2928	1612	mscorsvw.exe	38
PID 1612 wrote to memory of 2928	1612	mscorsvw.exe	38
PID 1612 wrote to memory of 2928	1612	mscorsvw.exe	38
PID 1612 wrote to memory of 2928	1612	mscorsvw.exe	38
PID 1612 wrote to memory of 2680	1612	mscorsvw.exe	39
PID 1612 wrote to memory of 2680	1612	mscorsvw.exe	39
PID 1612 wrote to memory of 2680	1612	mscorsvw.exe	39
PID 1612 wrote to memory of 2680	1612	mscorsvw.exe	39
PID 1612 wrote to memory of 2624	1612	mscorsvw.exe	40
PID 1612 wrote to memory of 2624	1612	mscorsvw.exe	40
PID 1612 wrote to memory of 2624	1612	mscorsvw.exe	40
PID 1612 wrote to memory of 2624	1612	mscorsvw.exe	40
PID 1612 wrote to memory of 2212	1612	mscorsvw.exe	41
PID 1612 wrote to memory of 2212	1612	mscorsvw.exe	41
PID 1612 wrote to memory of 2212	1612	mscorsvw.exe	41
PID 1612 wrote to memory of 2212	1612	mscorsvw.exe	41
PID 1612 wrote to memory of 756	1612	mscorsvw.exe	42
PID 1612 wrote to memory of 756	1612	mscorsvw.exe	42
PID 1612 wrote to memory of 756	1612	mscorsvw.exe	42
PID 1612 wrote to memory of 756	1612	mscorsvw.exe	42
PID 1612 wrote to memory of 1748	1612	mscorsvw.exe	43
PID 1612 wrote to memory of 1748	1612	mscorsvw.exe	43
PID 1612 wrote to memory of 1748	1612	mscorsvw.exe	43
PID 1612 wrote to memory of 1748	1612	mscorsvw.exe	43
PID 1612 wrote to memory of 856	1612	mscorsvw.exe	44
PID 1612 wrote to memory of 856	1612	mscorsvw.exe	44
PID 1612 wrote to memory of 856	1612	mscorsvw.exe	44
PID 1612 wrote to memory of 856	1612	mscorsvw.exe	44
PID 1612 wrote to memory of 1096	1612	mscorsvw.exe	45
PID 1612 wrote to memory of 1096	1612	mscorsvw.exe	45
PID 1612 wrote to memory of 1096	1612	mscorsvw.exe	45
PID 1612 wrote to memory of 1096	1612	mscorsvw.exe	45
PID 1612 wrote to memory of 1972	1612	mscorsvw.exe	46
PID 1612 wrote to memory of 1972	1612	mscorsvw.exe	46
PID 1612 wrote to memory of 1972	1612	mscorsvw.exe	46
PID 1612 wrote to memory of 1972	1612	mscorsvw.exe	46
PID 1612 wrote to memory of 2220	1612	mscorsvw.exe	47
PID 1612 wrote to memory of 2220	1612	mscorsvw.exe	47
PID 1612 wrote to memory of 2220	1612	mscorsvw.exe	47
PID 1612 wrote to memory of 2220	1612	mscorsvw.exe	47
PID 1612 wrote to memory of 2888	1612	mscorsvw.exe	50
PID 1612 wrote to memory of 2888	1612	mscorsvw.exe	50
PID 1612 wrote to memory of 2888	1612	mscorsvw.exe	50
PID 1612 wrote to memory of 2888	1612	mscorsvw.exe	50
PID 1612 wrote to memory of 1060	1612	mscorsvw.exe	51
PID 1612 wrote to memory of 1060	1612	mscorsvw.exe	51
PID 1612 wrote to memory of 1060	1612	mscorsvw.exe	51
PID 1612 wrote to memory of 1060	1612	mscorsvw.exe	51
PID 1612 wrote to memory of 1300	1612	mscorsvw.exe	52
PID 1612 wrote to memory of 1300	1612	mscorsvw.exe	52
PID 1612 wrote to memory of 1300	1612	mscorsvw.exe	52
PID 1612 wrote to memory of 1300	1612	mscorsvw.exe	52
PID 1612 wrote to memory of 1384	1612	mscorsvw.exe	55
PID 1612 wrote to memory of 1384	1612	mscorsvw.exe	55
PID 1612 wrote to memory of 1384	1612	mscorsvw.exe	55
PID 1612 wrote to memory of 1384	1612	mscorsvw.exe	55
PID 1612 wrote to memory of 2248	1612	mscorsvw.exe	57
PID 1612 wrote to memory of 2248	1612	mscorsvw.exe	57
PID 1612 wrote to memory of 2248	1612	mscorsvw.exe	57
PID 1612 wrote to memory of 2248	1612	mscorsvw.exe	57
PID 1612 wrote to memory of 2848	1612	mscorsvw.exe	61
PID 1612 wrote to memory of 2848	1612	mscorsvw.exe	61
PID 1612 wrote to memory of 2848	1612	mscorsvw.exe	61
PID 1612 wrote to memory of 2848	1612	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe
"C:\Users\Admin\AppData\Local\Temp\1438391f3806ca669596b98b4fe5449628dab6cd6970846147198e17fc9cce16.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:528

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 244 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 1f4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 1f4 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 290 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 270 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 298 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 2a8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 27c -NGENProcess 2b8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2b8 -NGENProcess 280 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1f4 -NGENProcess 2c0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 158 -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1e0 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1396

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2440

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2304

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1608

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2320

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2824

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
daa6900f8b14893e632f20b5ee955ef5

SHA1
8f66926bdfc38d8b281d136a2d4cc8702b7a06a8

SHA256
b6e8fe3cd8e6067b6f0196af0deda96d8ac83fc06bd2c7b78aa5346a1ec22412

SHA512
72dd2c956d579f4d09cc3189233e34d2ada464ec9b1ba34cd1337eaffb525eab70da8b730f1d6a0a506a37a28be8c91c5723585154c95f6dc366d557caedd455

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
8.7MB

MD5
689232c9b3c2d0cb51515ad2b6d7ed89

SHA1
f1e09f062742d404d434249e1f8a5a3ebc27dd48

SHA256
b10a04e583139a57ccf93adbf76cb1a30c665fe48b541052e896b9421e6a82ef

SHA512
d0830a710b70b5777e7de5655a6b7f1555379af8817daf5ed916b35b1c2cc6ab4e5d6e1ee34d218d9af9e1805fc99d8caaa9678682bd48c4ab4a7dc13c1b1500

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d103ba7210cd29715108b13ea8bbc051

SHA1
b6d8cd3adf9c86805c6c81c20dd461f4a0a78c74

SHA256
22c5b2e574c8bc7c498bfb6cad9412774d7780bb92618edbf2ff6db2c12e4b1c

SHA512
a5faa44a4d990e09b2e32fd95c2aca6fd4930ad6a3ce688a1490f7597689cf3e05151f8f5c32b502708463273a8f5198532d538053acc9a76a65b491a777d034

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
c2c9e0c03a2fb585143120c9d6b52de7

SHA1
713746b8b4a668817e101be742cddfdd46b3c3f9

SHA256
f57ba2fbc5edeb43e1dd84164337cbfa6701254a3f38b918c2d3464426e5048f

SHA512
a543c545cac522288ad5996998ab2073674220a3382e2278674370c2e0ea920fd20842d79a9889037ce7b9537c7c5b4b803a43e3d4b7f2b7fe99b324eca49cd0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9ed3007013fd601b03c4cd15d127d692

SHA1
bfb388b1dd54eb03b488dba507fb88013ea89e2d

SHA256
ee312a6d340f45259d36d861ff86ee13108efc085c4577d9f58b1bb7936fa444

SHA512
e4431bac690b3867f6019ed0a5dba5a69fb9e10a27a258b3fee691159be7352dfe888c3b7bb8a1a824ae4ba349ad9ca5cf7cc6d7473a7b4c0f8e46a9dad3f4f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
902ca6edea197162ea4ffac639eaec4a

SHA1
3d46b70b4d79ba70d21a2347cc450a2c427f8367

SHA256
9406c207f253a7beae9d722b3791af0ae8a522961563257d5f64332c8c594c4c

SHA512
a8b5af5217260cea0ead72ddcfcbe7d8fe8b7861e00654a1f1c3845c4935845311d07a1f5a19fe910a1494f873a06a3403fbc30f9d5ebc7aa2bd03966b181372

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
813KB

MD5
91197eeed9a511e49e8d4674c23a19e3

SHA1
d746e4df7a88adf56b75763cf1c92e1a3d33880f

SHA256
3355cf6c2e16cb330ee81be6ed47a560667170c2287f4bb25389c9bcdd635fac

SHA512
9cf420d0f2fd3c1ad81045b6032f891808596dc699462db0a9790050f355058838695a640a94b3c76d1be522dcd4d8cca698131275103bed896da04a00faad80

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
54c68bfc2b1776658cdbf27993666b7a

SHA1
a9b4aacbea78a37865821dfe5edbaf8bc91b191c

SHA256
5d34fd6b727cd16316eb6572e488556b47d2c4a1c79fdb8f4aaf93535ada4c5a

SHA512
77a27ee3fc922f1fa1d3ae28a8f10c85b1754bd9512ac4eeecc456e0e270804dad89d97e29c17a72b48c79a7ee7506998dd90d0392cda183c70e9334167b5a2a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
221KB

MD5
43379f90a322981aa65b908285f85048

SHA1
0a5be8034cf1053b33a48162f057574059e7d056

SHA256
c236bc07a489b65d116112b3fd20893f929e042b641c7be69b55e14633f7d85a

SHA512
d62848a0c655c1bc5b5d8e3ec36e38efaceb0eb8013f64f571f3a53e588dcf67323bd406d787048d0d2b6be53139b3ab7a6b2e437969b5574952cba20c3186d3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
363KB

MD5
b5789541d92073b95b1562a299d45261

SHA1
cad692e7497b192f51d9f94270f52f958bedb7bd

SHA256
4d9b8c0abf187819cec01be734d14e6bb798486742a14600223287c3ef751c7d

SHA512
bf12a35bb44582199d09497202918f93c53b9cb46876667c137b8bd07991eee9b2f4f11705cbcd036f55bebe4a7d43371e06eb10e30de527cf9d27ea9622bce5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
70f8986ee2aa24c4a20c8a6fb478109e

SHA1
f145128c21332c1095f37743ec0fccb73f1d8c39

SHA256
28f90009370ad3933c76f571685fda63d82982bb47be776a9d90ce83a6220879

SHA512
a8b3a7ed5f9e78c8410509870b7db67cc9f8f12482ee663218aaa289e81b691737f526ffd5e8bed44a29d9d366208a2491bbcd46562ca2bb94fde6e394ebfb2b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
8635492f00bebfe2a4509533ac7597d8

SHA1
4ce0c2db197c75b39c1ce68ee3ea30f524b66f6c

SHA256
3d96dd9e62f1addf034e1b591465138b4677ed3b0e083906e919355a4830bd20

SHA512
28f041c683ce9443a0f1a63058c065c0dfdbcd688a8fa46d00bf5769b5e2c22e5dc0e19f4efb1a30209ea7095c18c1c532701b85688c06eba2a15a3b8989644e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
55e6a2ff1f917f77ccaa9185faa3b300

SHA1
d2196ddb9c915a39b2c0e4afb4933e470706c79d

SHA256
68c1c034c01b26c369a2a408bcf444189a7f2f3bc0819822c5f595e56a0f510b

SHA512
5084cc8229b45351ae286ad662b478818f8467b9fc00334bfed8f2d1446d1577e74884fb02091612aecafa3c0c38c0934ec949bf91d2a0c46c17c1bce7053d25

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
592KB

MD5
e422b44ff415415f920a650c75a86d46

SHA1
1692947caf4c21dc82940efbf6d67107907678f8

SHA256
1a657318c8fc8d2182b4ba463f0e80ff2c87217640edab787075f4a14538c3f9

SHA512
f3ea80b884407481355a01be68ac68a4dca7f1ca106294d1a7af68ac344e6a6208dea10518ab3e5f045c1991441bf1be2149aabaca03cc53412dbd68f3503c1b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
438KB

MD5
8125075e24162326d43956749d384a4e

SHA1
a76cb5677e560391122688deca936aadff84ed96

SHA256
e04a9a5ad03827348e4e277ba303bc070f6319f67d27999109829dbe0d01b239

SHA512
35eeed2c1d8f28460b4b040a937a415d101b26056ae6e19344490a66915c345b9db41b5f121c344c7601eb3471cea5868a8668d43fcc461c24ff978c42765efc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
ec6fcdf6a8c5c8f4e317faee4bb5f21f

SHA1
c602f44e21b6fa6127dfff4d065e943db365723f

SHA256
17970552589b1c4b17d6980bd332f749d121ddb56bfb19efdef0854d2cdaec47

SHA512
26f7ae607bfd753d133bdb85a06328523454e37215ad8fe96d130893c3e278a4b52da0ba4dbeafdff3881c99c86ab974cd80ad18157353a178134c42247b58c0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
868KB

MD5
738004fcf36e26fd640f4fcc1091467a

SHA1
6117fc8eceb205c96ca06e7371a19b9bba0006b7

SHA256
a1baf72f70df14863597ef397ff913f7cfe61b35daffcf2c42fef6ee6ddec618

SHA512
2a435425958fbb6a52713b5537c6c17e18b5b91d88f3a4edb08d60dee9a213e72096e5834df4037a4626009334a3f801b929ef655345263c189c06c52fe784fb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
f4fdf4029c2203c177bc1bde03b3ec8f

SHA1
c66ae9fac308334d4365705b169992b5330d0ad3

SHA256
5c6e61d8cea0bffcb29eaf83a0966275ef0c719dba4ec16ad9afb6bdc99040e0

SHA512
b6f385f561bcff8b7bb0ebf5d7aa2661c51de70321ee05db28ee533f97ddbdd992694fcf17e0afe214399064f2c1d86e4f6452c06827c7426918567f857dcf73

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4442ebd349b38a4d1f85185f497a7cef

SHA1
044fc6bd23f05be5d155e45b9cd0a8cb2a0c4722

SHA256
254c5824eeb97f924618e9bf39eceba034afc9e09406cf187c551d4f6d05bd30

SHA512
cd75196ecd2736da7566d09daa7bd49e4d84d6191100c8b0199190054678cfedbd1f335c3e22337175072b105a09af02dc9b3c53fdfd5d9c6ce20ba13de401b0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
463KB

MD5
5a2e5791022d38137eb58c30a5830839

SHA1
6c1a0c2ed262c44fe59cc934181b261e09b8f8f7

SHA256
1246bdaaaedaf8ed9c9b1b9be04eff721e9799aa58186f08e17a6c49bfc16be6

SHA512
a4a2224551e3fd5cc8280dd245c172740c28e02d680f5c1f8d847850384b47568f4fa5e95c4b3cc1e8dda4dcc272887bd8ca85d5d15f038182e82891bd9d643b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
410KB

MD5
99b372bb1ca5a3aa5ea5f4133116046c

SHA1
c64b526f5fbcb04843d63aa3995853419c743f76

SHA256
aafdb594c7925422d706aed3e1ebe296d2200e374efdcf28ce65af039f1d8c4e

SHA512
2249dda94dce7e9729b33c051ed79af491230839b17717381cb043abe0ca59486974e62ced7069ef8b935f40426956de72b7c229b17feb9d4b2e1fc2a2465802

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
560KB

MD5
340f146db949e6ece174121e489f89dc

SHA1
6ad173a7e0a3737bfad19efcde5eb0f42196126c

SHA256
06a52c3eaa03797d8a4b16c3b39fe12aad345633b4dd3af6ab4ce0d259ade5b7

SHA512
347a2e68c51a3a3d310172693893b97904ad67d436641013895cf9c7c4e5b1ea1f18f848b5457c76a1229a90d8c01f2f6772d4f5a6912b81012e336a9b8f72bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
429KB

MD5
ecf90eb125778ee4cf19f88d41d9cff2

SHA1
5ac629050bba6e06fff8fe6132bce1780ed122e1

SHA256
a7c2d51652db106abab1c52f958f6ee8241ee703151b759c8dd770a9f03f056a

SHA512
8f5d3ed579a231686fec6280a6369bbdd10264a7802e56b2c3e6f710d63d432159c4dbbbd060798734f600df146be294f8995b32a37eda78b672b25943ed1c3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
b0b89caf52452948e0e53a56d2dea226

SHA1
608df7f66710f266ef4696cca96743917cf3cd5f

SHA256
f7e198502b3c599d65a46da5e6bcff43234c5d46a2c1dc8158498d671cdfecd4

SHA512
328a396e2da03ed4a0cad240451a46d1cbb454896aad5904a62adabe5fc12d19479e75215353a85f2e3301e69833833252ffb8745c222eddf729bb59617fc6b3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
896KB

MD5
308a7ecde8f4020c07c0d848dce6325c

SHA1
aa3990a9385a32d4634644c0594d083360a3c25a

SHA256
a85931076bbfd565af69f22480d15d375bdc6a4701b844bfbe4757dd985a5492

SHA512
bcded284ce685941ad5c7836a6cf1898779b7fe9d964f4f2fe18f5f56625ed09f782bf2ec91a75f4e786d2037659ccf54239f8e7007989c9b91e6455406bd7e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
a6671dd22b3995914d912b7ae999e58c

SHA1
35342826c2ac3504ea877d1d24206ad8023c9649

SHA256
6ecd54f9cd3ae62a3706ec71cd319b0c44437624d374d44b1c2cd9150bf8753c

SHA512
6a6d866ac589b533bc378e42a37244e16c5530af9de136d2d11a2c1accd88c83b1633cad8f34987a75c66c1148a49436631174b5f90d0b010d6def7dec6580e3

Download Submit
C:\Windows\System32\alg.exe

Filesize
262KB

MD5
4a85ead9dd030e4fff8d1893fde778b5

SHA1
49a6042c2d50f24748dba03800a53b84b360c270

SHA256
ebe36040e5e510c6eca516196e45774f96730561225b4954e0f4758335ccea09

SHA512
f237c7bafbb4b5c959cfb41918673c1113804ff6c5e64dbe9c83be2313964ebcca887ff2a549ed1ef26e72c345eef8720f6c79211e08f404bf0c56540ba3c89b

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
0108f642b52c978e6402169ccc445d26

SHA1
32c382301af6538f7bf611868ef36f6428c48c3d

SHA256
0e0822da9c9d659894e9c1f0bbb878d87c87418336cb6d73e213da48c7795cb6

SHA512
7bcac91c83d7f5769aac0a4c6a3d70bd8549222d34a8d58e92c1e4d00d80b6031f565fc2c0000566990317c5cb95f03d0d9eae673dceb94a95b58dcde7caa744

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
100KB

MD5
22e0edaafeef322480b2de61ec7000eb

SHA1
9a0959576a52985c01c89b84efe1f0b0a8ae5330

SHA256
dfdd9f7143ce53eec2d1086fa0b357db45217a46b8afffbb625aa3d396da8813

SHA512
1f995de7c11b862c475b030d376c3e4b9d7361e5dc2dc8282144e87dc48580dfb2a400e60d56b0794ba3cec371eaaca7ce321f4a07c037a74aec69be8b4e9331

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
906541ede8357a3330ef842d7a004209

SHA1
173b9d07eaef1a4b4e271ed459f493310ef8c3cb

SHA256
5b4660c0c5773d0297c8f3e88db75af5c88c76cfcf2edcd07f792d8325749925

SHA512
9851bc41ce9826d67f2ca507d788c97cc9eb81db11000362cedddf372dbf3acf31a6a7d13d7f755d91231433118152952811ff2e5800ec5f6de5677663a628d5

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
1b727a9e54681f18438c116f3016cc2e

SHA1
b4f616e58fc069f2ef7e5838aef8bccd666f9348

SHA256
1e78b637f07bb0a6f92dc5ad26f9425053c1fe1dd9ad0e01ebedb46e27e1e2e4

SHA512
43ed6a33f2e7b85cc1022ef526066edb746ebabf879012252909e4d93c58085c7068a4696e4cbb00709645a5da517e082633fb65db579edf7973a5573110be5b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
cdecbc0e03868b0360d49d82f5498c0b

SHA1
32541792ff8971504597ea0fe669ce35513ec7d6

SHA256
b1a67ef6d6b975193a5374b70d8dc28316cc077b759d7d65a65bd12d195b7058

SHA512
62734f81512707b596ef5f0c42aa4abd7b8041977124b386f83194a9a1500442383080eb1b343dd9f1115309dfa23e40ca26f14f28ba2e32b907b0035a7f2b5d

Download Submit
\Windows\System32\alg.exe

Filesize
180KB

MD5
1a0cf33263110e2806ac9ba7f3711d39

SHA1
4e235ed8a75e3796ec97974787d59125b37b5d26

SHA256
8b7aefcf12bbb03f92b3e7861ab73060e724e41d62a10d022483a48f0d0c4a0d

SHA512
cf9c4f2f90add99ed47169cb51f282f8994de0cc33cef19e02ed3466e4448501c73a65254d7a903da5db7cfa413726d89f14a9a9630656315175f4a41e417aac

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
98632969133c7fa7e1c5b495fe51f996

SHA1
8ca4dd6cd86efcdcf7396757e97c34945a1d0a76

SHA256
3f4ff65030b61ec12101644713981894770bd3dec401f6517ad823ce5f4a6010

SHA512
12fdc863d9d4df1237f6ef4e51200452c465cfc1552f90814b11432e19b57b633357aabe20cdda661ccc05c1e7b3cfc0f9e25a5f873e28ce6ca5b5b77569901b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
189KB

MD5
1701624d1b0fd83cd16089c51c92ab37

SHA1
5e1a34ba4ef4cfd152d86b117c5f6eb5bd0bc2e0

SHA256
6e52e3f8b5e9b75847c4008df2d5bf148c6180ddcddb56fef9fa1124437fbb9f

SHA512
6fce6de26ebccc3584b07ff8e8c0ec3889c28ff9204b650ebe3f58e0c19fbb864d29648bd87e92dc116d5e9fb2e25a85d2e4ebb93db5b3d1c55feac0dbee4f63

Download Submit
\Windows\ehome\ehsched.exe

Filesize
24KB

MD5
eb45580d602edeef5060d41a94758d30

SHA1
e9c86af39dbedf2e2376398d3470800978b86af4

SHA256
0ce58401fb70444a8cacfd58750920ded7881e2281f437df7489b6db9f43e971

SHA512
4e1ac77febdf14dfe72debe027d74aa38e07346b25ce0d37d248fcbc74949a3d55ade82467512dfee606b364017e89b0d49399275a989f8f681b556fa3c95d14

Download Submit
memory/528-114-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/528-98-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/756-313-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/756-325-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/756-341-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/756-340-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/756-319-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/760-132-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/856-358-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/856-351-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/856-345-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1096-367-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1096-361-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1396-229-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1396-143-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1396-240-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1396-149-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1396-261-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1396-142-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1396-156-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1416-155-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1416-273-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1416-233-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1416-237-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1612-250-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1612-124-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1612-119-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1612-118-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1748-330-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1748-335-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1748-356-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-357-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1748-355-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1748-342-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/1944-239-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1944-95-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1992-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1992-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1992-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1992-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2212-300-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2212-323-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2212-324-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-310-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-308-0x0000000000BD0000-0x0000000000C37000-memory.dmp

Filesize
412KB

Download
memory/2624-283-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2624-291-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2624-295-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-304-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2624-302-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-267-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2680-277-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-292-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-272-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2680-293-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-154-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2780-27-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2780-28-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2780-79-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2864-107-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2864-126-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2928-249-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2928-252-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2928-276-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-256-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2928-262-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-275-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2992-289-0x000007FEF40D0000-0x000007FEF4A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-241-0x000007FEF40D0000-0x000007FEF4A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-242-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2992-243-0x000007FEF40D0000-0x000007FEF4A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-245-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2992-258-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2992-327-0x000007FEF40D0000-0x000007FEF4A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-290-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2992-294-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download