85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
Size

1.8MB
MD5

cbf5d6d00d41e7ae50b8e5b59ddb42ad
SHA1

6db15d3a3783062306cbfb1bc03dfab2fdf8a83a
SHA256

85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e
SHA512

bd1a5d142f9a1ffaf9045e058fe0cf97b95ef587bdb6ba1ebc63b16359d99bce2085f5452c4cd09db9bedaa7bc5eb811c4f2db26655736d2dfd303db69deb49e
SSDEEP

49152:ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAXYd4nZ4+ZI8TS2:avbjVkjjCAzJF4ZA7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 39 IoCs

pid	Process
464	Process not Found
2348	alg.exe
2896	aspnet_state.exe
3056	mscorsvw.exe
1216	mscorsvw.exe
1532	mscorsvw.exe
2848	mscorsvw.exe
1424	ehRecvr.exe
2432	ehsched.exe
1704	dllhost.exe
1924	mscorsvw.exe
2332	elevation_service.exe
2788	GROOVE.EXE
2564	maintenanceservice.exe
2544	OSE.EXE
2920	OSPPSVC.EXE
2560	mscorsvw.exe
2912	mscorsvw.exe
1216	mscorsvw.exe
2976	mscorsvw.exe
2176	mscorsvw.exe
2296	mscorsvw.exe
856	mscorsvw.exe
940	mscorsvw.exe
536	mscorsvw.exe
2536	mscorsvw.exe
2736	mscorsvw.exe
1472	mscorsvw.exe
576	mscorsvw.exe
2000	mscorsvw.exe
2104	mscorsvw.exe
1364	mscorsvw.exe
2712	mscorsvw.exe
1088	mscorsvw.exe
288	mscorsvw.exe
3060	mscorsvw.exe
1656	mscorsvw.exe
2444	mscorsvw.exe
2052	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fa43c150223c682a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_gu.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_et.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_th.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\GoogleUpdateComRegisterShell64.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_it.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_ml.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_lv.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_ru.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT4A5A.tmp	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\psuser.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_pl.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_hi.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\GoogleUpdateBroker.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_kn.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A59.tmp\goopdateres_iw.dll	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6F888826-DB1A-4B15-862A-4B97DD765519}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6F888826-DB1A-4B15-862A-4B97DD765519}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	ehRec.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2404	85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: 33	1680	EhTray.exe
Token: SeIncBasePriorityPrivilege	1680	EhTray.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeDebugPrivilege	2776	ehRec.exe
Token: 33	1680	EhTray.exe
Token: SeIncBasePriorityPrivilege	1680	EhTray.exe
Token: SeDebugPrivilege	2348	alg.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeDebugPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe
Token: SeShutdownPrivilege	2848	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1680	EhTray.exe
1680	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1680	EhTray.exe
1680	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1924	2848	mscorsvw.exe	38
PID 2848 wrote to memory of 1924	2848	mscorsvw.exe	38
PID 2848 wrote to memory of 1924	2848	mscorsvw.exe	38
PID 2848 wrote to memory of 2560	2848	mscorsvw.exe	47
PID 2848 wrote to memory of 2560	2848	mscorsvw.exe	47
PID 2848 wrote to memory of 2560	2848	mscorsvw.exe	47
PID 2848 wrote to memory of 2912	2848	mscorsvw.exe	48
PID 2848 wrote to memory of 2912	2848	mscorsvw.exe	48
PID 2848 wrote to memory of 2912	2848	mscorsvw.exe	48
PID 1532 wrote to memory of 1216	1532	mscorsvw.exe	49
PID 1532 wrote to memory of 1216	1532	mscorsvw.exe	49
PID 1532 wrote to memory of 1216	1532	mscorsvw.exe	49
PID 1532 wrote to memory of 1216	1532	mscorsvw.exe	49
PID 1532 wrote to memory of 2976	1532	mscorsvw.exe	50
PID 1532 wrote to memory of 2976	1532	mscorsvw.exe	50
PID 1532 wrote to memory of 2976	1532	mscorsvw.exe	50
PID 1532 wrote to memory of 2976	1532	mscorsvw.exe	50
PID 1532 wrote to memory of 2176	1532	mscorsvw.exe	51
PID 1532 wrote to memory of 2176	1532	mscorsvw.exe	51
PID 1532 wrote to memory of 2176	1532	mscorsvw.exe	51
PID 1532 wrote to memory of 2176	1532	mscorsvw.exe	51
PID 1532 wrote to memory of 2296	1532	mscorsvw.exe	52
PID 1532 wrote to memory of 2296	1532	mscorsvw.exe	52
PID 1532 wrote to memory of 2296	1532	mscorsvw.exe	52
PID 1532 wrote to memory of 2296	1532	mscorsvw.exe	52
PID 1532 wrote to memory of 856	1532	mscorsvw.exe	53
PID 1532 wrote to memory of 856	1532	mscorsvw.exe	53
PID 1532 wrote to memory of 856	1532	mscorsvw.exe	53
PID 1532 wrote to memory of 856	1532	mscorsvw.exe	53
PID 1532 wrote to memory of 940	1532	mscorsvw.exe	54
PID 1532 wrote to memory of 940	1532	mscorsvw.exe	54
PID 1532 wrote to memory of 940	1532	mscorsvw.exe	54
PID 1532 wrote to memory of 940	1532	mscorsvw.exe	54
PID 1532 wrote to memory of 536	1532	mscorsvw.exe	55
PID 1532 wrote to memory of 536	1532	mscorsvw.exe	55
PID 1532 wrote to memory of 536	1532	mscorsvw.exe	55
PID 1532 wrote to memory of 536	1532	mscorsvw.exe	55
PID 1532 wrote to memory of 2536	1532	mscorsvw.exe	56
PID 1532 wrote to memory of 2536	1532	mscorsvw.exe	56
PID 1532 wrote to memory of 2536	1532	mscorsvw.exe	56
PID 1532 wrote to memory of 2536	1532	mscorsvw.exe	56
PID 1532 wrote to memory of 2736	1532	mscorsvw.exe	57
PID 1532 wrote to memory of 2736	1532	mscorsvw.exe	57
PID 1532 wrote to memory of 2736	1532	mscorsvw.exe	57
PID 1532 wrote to memory of 2736	1532	mscorsvw.exe	57
PID 1532 wrote to memory of 1472	1532	mscorsvw.exe	58
PID 1532 wrote to memory of 1472	1532	mscorsvw.exe	58
PID 1532 wrote to memory of 1472	1532	mscorsvw.exe	58
PID 1532 wrote to memory of 1472	1532	mscorsvw.exe	58
PID 1532 wrote to memory of 576	1532	mscorsvw.exe	59
PID 1532 wrote to memory of 576	1532	mscorsvw.exe	59
PID 1532 wrote to memory of 576	1532	mscorsvw.exe	59
PID 1532 wrote to memory of 576	1532	mscorsvw.exe	59
PID 1532 wrote to memory of 2000	1532	mscorsvw.exe	60
PID 1532 wrote to memory of 2000	1532	mscorsvw.exe	60
PID 1532 wrote to memory of 2000	1532	mscorsvw.exe	60
PID 1532 wrote to memory of 2000	1532	mscorsvw.exe	60
PID 1532 wrote to memory of 2104	1532	mscorsvw.exe	61
PID 1532 wrote to memory of 2104	1532	mscorsvw.exe	61
PID 1532 wrote to memory of 2104	1532	mscorsvw.exe	61
PID 1532 wrote to memory of 2104	1532	mscorsvw.exe	61
PID 1532 wrote to memory of 1364	1532	mscorsvw.exe	62
PID 1532 wrote to memory of 1364	1532	mscorsvw.exe	62
PID 1532 wrote to memory of 1364	1532	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe
"C:\Users\Admin\AppData\Local\Temp\85eb65c86909a094741ad8539fc91ca03fa654dffba5097954eb885a27b0243e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3056

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 24c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 1e0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1fc -NGENProcess 1e0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 278 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 1fc -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 280 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1fc -NGENProcess 27c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 284 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d4 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2dc -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d4 -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 320 -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 320 -NGENProcess 2d4 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2e8 -NGENProcess 2dc -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 15c -NGENProcess 160 -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1424

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1704

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2788

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2564

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2544

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
db7cdd8d59e324960e1c5b68cd8078bd

SHA1
9346f223d989383c7c0e072a93d93213074728f6

SHA256
e225c88356487b857bee77c349e236bd5dbe86ab658d5c2e31c872b8b2c28962

SHA512
efd22c230f2b47d1e71f954c867b0eb8d646d408f4eceeb80c8265b85b01b1cebead0a726d3499bbb2e7f609c3e702bb54f1bb0fc9a757a9ec6d0bacccd0d6ca

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
92b73bc80667f773df6cc9fcd4dc520e

SHA1
ed4f20cf3805dc2e70102a23f61055bb664cc742

SHA256
21101a074402e0f38c4f820cc5e67899a45e37a7dc2225d98647d182479d5c43

SHA512
33c5360457349dcf2df3c7320708151feb0210e9c97f1d8f7bbb26d9502811eb8b66454174844094870f73d9f394ca2e1de91779c6233967f65e2c8ec529259e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
5ce0b2bcb53ca1ed50ff2a543a6f3f52

SHA1
0da5bd9b24ada487e1c83b6f4d4eb95c048aefab

SHA256
9339f2bd52dc828b8b6cff6fd75686edec9f06fa6169b583e4f31ac7dce2c6b1

SHA512
a1015aa772e0bc1f2742fd971346f910c6e7fb8a0b90ab71103aa253294e8be1177229b4ca5d9cbe081e1bc1945acb5f02353c42a03705af37e60277829e2b13

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
86983027212afc4c810c05000b1c81bc

SHA1
92ac69583e45ebc7d83d4901fe23ea06028b70d5

SHA256
1171f8d14d5e0f353347c114343d4d581f6873ed9545b070fd8e462c753c7299

SHA512
88168600680f9524f09a874328ed9f830ec722dd4a3f2154977b466474e429e23f602bd5d9ba1f2abbac04a8d796e52b80e73243f2114ddd1bff7a021938dadc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
3.8MB

MD5
e4004f92991f093dfcb6b079209e5338

SHA1
5c1ee2f0670b02ed09887113578bebe16dd7cd1d

SHA256
ca5450d4f7665a241a13b40695ae14a2959e711a565f1a4e65be99e5538b1c68

SHA512
b6583016e643f7f6b387848a429e7559f38ad70e9bf6d279a4d6f36ab9261d640a4b2dc90b2746c2f8614bb1d344e1c57cd37e92be611e6affd04c384e449074

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
39a53dfb4519d4e13c4fb63f4742e3dd

SHA1
a9ab7e0f5b3cdba80de39ff9f0894b6a377bc10c

SHA256
fc623a25dca8af27505bf7323e31594ebb01896e6f51550007bde8f9cd87bdd3

SHA512
c641cb0fbd7171f47fcc37d3b8ed93dcc7ff41c4759cabe551b726f2b711bd7aecd71b732aed72690d7e31fe49937e6a5ba5b02329baf50a87880805959c5482

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
9ed32bdd1dac07f2939fdc230237f22b

SHA1
8d1bf990dd39e9c5e7952aece91a889074e193bc

SHA256
00f77eec77b67f327ec394e2cb1b799f8fa88f5330232a2be80ec142666dc1f4

SHA512
c1b87a756547b2e29b5dfc2349e5b600e6e7c956222638b1b76850909816c6f8fd7dc7d3b135b7777dd8c5f9f68d459f209c9190d6ba544ccdee5f70001ef679

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
936fddb715bead10d690f4c4b0d0ec2e

SHA1
e09c91e59866afe24e6c4920bee95b3f67da595e

SHA256
c3d69675f599487d2744519a95c5e7231455edc4fa14a08ed23083fea885b2e8

SHA512
80300087219a6fb31bea1b785c6f061fcccacc0adf60df250fac4bd9c55aee5ac5efda85cee8d0e5ebe50b349234a890e6958695d0313e052f02a92143948109

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1f47f75111ff5aca97abf38b5a553a97

SHA1
a568f1e38f7a80bc8463171984cafe4d2e7e7bf6

SHA256
b2d29b0447ad24c08ec852e8e1002e22b7e7d5475c932c730be90dc82c4eb207

SHA512
b45fe76d2dc754555ac16c8e15f9ff5161cb8a32033ae76375c00c1328037d4e02fcf14d7c61483382b737ef047ca06cd5179f428f8d246734bb22848d5c6ea1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
55d52254dda610c4fc3aeedf3a170a46

SHA1
ef97f9f28c73831fa5154e64fda145310ea79fb1

SHA256
848f6f2a2647aabbfa9a23b50b6f5c7916799dcbb03bbb1596ce28530f623534

SHA512
161eaa4b1c03a8f43efe9ddd8ddc5a4154db5f9ba0ab3968268995709f7258bb7a0af9a28850fd055c0cb59094434376b7cd0d523d545482a42ec76bbf5a6ea9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
95b8e91783d4d1383760b51f9232302d

SHA1
66090c4bea96afe3b46c7cadde90145af1f0e977

SHA256
57bd1eb9d54b4a19ee2e20a1d1fe457ef4f80e78a0e19ec4349415a4f1fe8ba7

SHA512
38b20c9b23dfb6a63880715d70581873898931fcccd50946476dd8b77b4e687e5d950ba17a4133f8529126b0f6c6636fbae36af5f02975c745596a633aa958b6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.9MB

MD5
40e05ba7178483b7b25dcd385b66fcf9

SHA1
d44a5d6aef7383a4f2a683bb339cbb4ab9e3df76

SHA256
fdfeb5de531403179ac062e947c0091de28a1da3cc4f701ced0306c7d72f3112

SHA512
102ada200b4a10abb3d09f4b77d6da7453ecde6d528b9283c02d6139b94e60e0f3a4e937f9c73df3e16790c7923764f4a811a891fb6913fc8f748e975bed6f5c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2.3MB

MD5
d00a93883abba4657d8ae4997daed730

SHA1
6e4fd211beceff4b1d8031ca2fe29eca7cba299e

SHA256
3e4bda4130241f83d1777bdfd10134fff6f6161fddd970b4c3024a86611d61d6

SHA512
7c90821dd586febbfe86de509f0c7d6460663a5f537abae6183e70ca9aab43b541c730332317051bda1e0a2ee53aa8c5b3ca4413a8c7515d038282504ccb0b15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
91f2bfc855c974b46b82bf6f705acb4f

SHA1
a2f49dfe46afa258da6e521cb82b5005ce4f72c6

SHA256
0ee90afcc64e8b2cbb8a4314fe7e48a90951641d1091295d2796d85bec4273ec

SHA512
cb5e3923c050cf2510bc01d07ab0d4ec4db3bc551bea678b4fbd5fe165ef52b3ff8f345a007bc9d5ad8a0d5db64e397d00f2638cfd0c5504b7584745658be8bb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e5efae60bc5b0e237605692cadec5e6c

SHA1
691c7bb0182b34c0362b1639f274493f8f555ad6

SHA256
4fa6ddf28889722bcb090ef4d4f57b96d6fea3a8b4abace3027583da8815211d

SHA512
5f10c370eb42fb747aec6825201e42f15ae645e1e2db393ae77298c32c5fbee67c1921ee2bdc5dc0d7f53cd3ebc7ac8bbe17c6aa44d1f5c5c41fcf3bf915e72e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
15486f9b8fca5c0c6a01b558c9326e3d

SHA1
94e9c777e53a03e55397a00cf6cf1691fef3d99b

SHA256
5ef1dcfb172de3abe4804681a62f8dbf2363a54a516dd2552aead97393cfdbeb

SHA512
895eedbe43f5d3ab837fdfc88f1f2df9bc9ab2e481126aac018b73db52652512a68090b6fdf35195887e76a08de2437c182ac5fa074e401ec782753f5204aad9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8417728784acdda1bfeb2b2f4e9b3470

SHA1
b30c03d62f06765bc9ae7448069d9e71477be9d5

SHA256
83793e301e37358b8b20c4a29615c8cd5220ed4ac51defb6aa596ee6a507e369

SHA512
776de2c568c502e1ec3606061eed0558b5a04d4fdf1db68694bd115a46b05b123ee6cf7f3df27fe9bf4a99005a27b9010f181c18d9390738b268fa6086c20b74

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.1MB

MD5
5591372565a7ceb4414f21f1fca36cfa

SHA1
1fde9b8f65179d7634eaa56dd4ddda43c91ce9b9

SHA256
a6ed8a5959065d8aad2a97883f5661068fda0b1639a1512c8568b1418d2212c2

SHA512
8b813dc5df7960cdd266328cea41f982836478bfeacc25cfcedad8ec928ed70cc87adf6115e7c55db79178dd7aa48571822d1ddefb237776d297ae4c829fe7f5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.1MB

MD5
3f95a5552d172403415f136a9c4a677f

SHA1
55f227f7a1b1f7f4dd8ac0cf0cd0e22da4c2f94d

SHA256
1235555a006afe6bffbb63555bae8f640b296466f560352614fb722b03d6ca78

SHA512
ee1ff4af9ae5bc19189f2f5819361f32ddefeaed6215301eefbe21e537d931b27540732025bc3654eb36ae9eeab67c0578faa57b8937e112d13879d23873920c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.1MB

MD5
a83dc127558fd434c81ed1fb5e0e2a48

SHA1
d48599d9e6123f827d07ae958db68688e20d505d

SHA256
5b60abb1ea6aeafc6dddea40fe1610b7500ba4570fa2936f2b62371107b93d33

SHA512
9c3c67ba617ce9fe0d1d12163cdd7cb6072ad9d4b999899c3f5bfeefe60e7dde3335fa05719ddb4b8f0458454b90463804ffd59f0b2aa98f740716095349eabe

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.1MB

MD5
01f8a5a77108eaf6b23a682a19ef0dfb

SHA1
0aad423269bc67cc06edc6e65ee76f9e5ce43164

SHA256
26cce12803ab8eea2ba10e211552ec614013c7a301150bd5d0166050a482c3a8

SHA512
650717bbbc20c070ea2fbe5b0be82dbef74802cbc48d05ed274b853679b8a088a1a5aed2003697a05065d432eae2b91f37f820e4f01902ab19217622df4ce3eb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.2MB

MD5
8bbb7bb037e4020cf87c837ffd3f93ba

SHA1
8388a2f188f5ffc4ad9f026ebb9a55c9263f10f1

SHA256
db780f046a844d54f513ed8e0b05b6df6a0769dad3651177eeb399c7a1ddc630

SHA512
894301a56375eb68056daa61bdc42d729cebe2373789395be44c2a7c2d95a245185066b3c4897d2bb741986decb065baf93030bf0bdf5849a76b3566d251b55f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
f0c6e6bdf8156fb0e251c95a576d07e1

SHA1
2b681f9912e5cce7f2d4658f7d6af36ea2d7ee07

SHA256
789d83eb79577f135fc6c8f24cf7e2f26addcf16c34d2e1af7a19f6fd2ec1791

SHA512
a89cd6426cfac57f5174bd000eb883fc2e3a4003d992bbf831e2357bf1b266d0098d0f42e1eb39e517868f3d190488d0a7e82ae0390678b97f45d5ceacd5d4dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
13df2f77989eacc8d605ea961b04df3b

SHA1
41c6c61c20d12d5e2bea115f646ee95f98138b58

SHA256
b7220f155502925961e7c9e3d53966c79c43303f7c85a532b6ab8d588b08000d

SHA512
3d543432e23de729fc9a4f883e5bf3af0b7559560e7aad049e072954560ff0b2fdf90bc67ffd63caae7851d6d5f2218c544f4a4e0e1ff574a3de425b67a0bb64

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
87211a489d366ee72a1caba10b3629c2

SHA1
2f27e25e6ad205e71e41be0ab16b2918af7d51a8

SHA256
bfe9fa1f835caf01ef3834434bc6c8ee4749db07305bf7ec35a9688d7a078cd5

SHA512
df9a67bcaf8ad94ff38e02853595df18362106401703e394e25e7d6c905b82be5f942f168533258d84772957db044a4cdd7d3349ea2bf93005f2644784181971

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
dae1d17070a91a297cf25b7dba481c70

SHA1
f979e08ebb8659dcdb28c37919202e898f188dbd

SHA256
dc13e1efbc01bcd79c38d8395a9c27c7d38918c5667e2c66c694e027f674881f

SHA512
210d231cce215ec52ad394f850991592500082a97ba10e19a228ce043a5968936f37d163979f92ec4e9e3edfc9e15a5f0275eb2b862ba39d1cd82a015af5f8ab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
97fe126cc85f2f5f5934535857aeefac

SHA1
65845a1dd2e65bbade399df05c73548b34985e8f

SHA256
df85e14f4f14bb5ad873d68affdab80b2b0860864b231262b943025ed3024370

SHA512
7c9be662239c01f29107fc384f23e0c98c42ebd5a35b37b9692476361b75dd522e8ade10b44b83c38241ba4429dc16fa70e8c8497f9ae12630c3158d73682557

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
a1a9746a5238d7ce1e843023c86ddaad

SHA1
4ebc566004b11ed7019e0c94b14c351bc0ce3fb0

SHA256
0c3c573bdcfb9a6ec36eb265489eae76f5e9dbd1f57bc4b1006fb888aad87f27

SHA512
804e99412566bdf9afe36e5d1f40dc1404146c06fc968551ed5236b2dc61d8216bdf9c78b04b1fdff86db34534f6702b5b60853b0e50a623fc013b6bdd0ed7f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
936d2578f151ebe014463b34709c03fd

SHA1
cd3cfe437b211bba31c510aa16277a795b3a7854

SHA256
f3b9dd84fae9054570e61ccaecbc1794f8c5c021e0279869167fdc492eacc12c

SHA512
b57c3f4f021b161738a70f01f6c144a51892975fbbc1ac55940b0f6e682262171470c801693ce32476f7df9b1dc27f844ccc69071e5c5a03ae5738db24538aa5

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
5b8cad2e8b14c20fc0d4d49cca84a807

SHA1
e899d2a73c851c5398e53a87605d99bafaf66a88

SHA256
0d6a95e46329d8ff46bfcc6775c018a86c94c561b50b3c26c8768c27506ca1f4

SHA512
aa8ab95f68600b38845d97b10eb25177aa441a71af961ebc98cbe32999511c31b21a903eea28ab12e46749b0b54ab2e77467de2636dbc6a51cfeee04b47355ed

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
548f9a2bf8eb1ec219aa5ddc0faad7f6

SHA1
82428ae330aa66be72f7685c04e5ea87fade1093

SHA256
4f212efa748178db3ef6cd7eeac0e88ab3079680fae8a29a9dcbd4261fdcaa3b

SHA512
a15f08103b3d1cd73362fd300978bbfc4f8bcaaabc47523a99c4902c0768cda50e3a2dcad12999b7bd284868246bfa4a0108c0fcf197b61a3d3a8fdf52f4abe4

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0c63f896f85328198eefe0c94e3e8b6d

SHA1
954c360c4118060eb6bf54511e2cf873061689c9

SHA256
9e297a81c7d783fda1b6b078d2b0ca5b0d3b9ea8b25c34e3a51b81a3c43d498b

SHA512
560b5358464360db1839d93baef1dc5f10863ba5b338d6659c2c0e52f91f739c101913e574af17012a00491783825679a9c2aeec17d36555759c5a414683b77d

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
50addf2edbae8e40df1a0f68abac48f2

SHA1
300713672ccdb696a48138a8f503132d4bda8419

SHA256
b6daf7effbab26d1e7f6af094ecc1598b523fd4a5b15a9415292c4f00017df3c

SHA512
782f43df9e1839f99d5804085fdad6b4d5bc9201e4f5f08de5476de4aae74b1d3048791220ae8bae57c5058e233fcd891540a04c26d4f0f31281b046a4e4692c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
87a6a5cddd5a75773d3dbefdb87a12cf

SHA1
695410822cc3150db5ec48f648265ba42308a89c

SHA256
8ca675a35880a5916650ebd1785bd9286c5ca4d6ddbffdf3cc8c8063021b9e0e

SHA512
75edc529353dc2bf3dfbf7bdc3fd7105a0561d42c4092f9ba48c80dc3d359c9a4eb233142295820a4ea4f8d60394114c899a671bfd11aa6db7d30eea4a8ecf05

Download Submit
\Windows\ehome\ehsched.exe

Filesize
17KB

MD5
5157f72b580902f8cd0c52e6e33be202

SHA1
f63c9b5dc82516dc49b9b4c847582805d1472665

SHA256
8402a6216f49908a61789a41b69fe0e6164145884b3345813ba05b46b224b43a

SHA512
6e13b167dfc7fb6194a50af2b5afb0db6bf7d3bbd78c688bdcd52c343bc27ff3b9c91aaa31c317ce24434f0014e8babb165ce67f1095e2ae800acd3e265fa5c6

Download Submit
memory/1216-142-0x0000000010000000-0x000000001013C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-547-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1216-116-0x0000000010000000-0x000000001013C000-memory.dmp

Filesize
1.2MB

Download
memory/1424-153-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1424-169-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1424-252-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1424-353-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1424-166-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1424-154-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1424-160-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1532-125-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1532-126-0x0000000000540000-0x00000000005A6000-memory.dmp

Filesize
408KB

Download
memory/1532-132-0x0000000000540000-0x00000000005A6000-memory.dmp

Filesize
408KB

Download
memory/1532-273-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1704-487-0x0000000100000000-0x0000000100129000-memory.dmp

Filesize
1.2MB

Download
memory/1704-263-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1704-256-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1704-257-0x0000000100000000-0x0000000100129000-memory.dmp

Filesize
1.2MB

Download
memory/1924-269-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1924-491-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1924-270-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2332-499-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2332-272-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2332-284-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2332-276-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2332-502-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2348-13-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2348-161-0x0000000100000000-0x0000000100138000-memory.dmp

Filesize
1.2MB

Download
memory/2348-17-0x0000000100000000-0x0000000100138000-memory.dmp

Filesize
1.2MB

Download
memory/2348-43-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2404-7-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2404-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2404-0-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/2404-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2404-246-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2432-168-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2432-468-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2432-167-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2432-250-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2432-518-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2432-519-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2544-340-0x000000002E000000-0x000000002E14A000-memory.dmp

Filesize
1.3MB

Download
memory/2560-535-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2560-537-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2560-513-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2560-514-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2560-536-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2560-520-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-313-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-315-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2776-394-0x000007FEF4520000-0x000007FEF4EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-324-0x000007FEF4520000-0x000007FEF4EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-325-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2776-501-0x000007FEF4520000-0x000007FEF4EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-488-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2776-469-0x0000000000CD0000-0x0000000000D50000-memory.dmp

Filesize
512KB

Download
memory/2788-335-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2788-334-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2848-145-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2896-95-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2896-253-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2912-544-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-523-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2912-532-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-542-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2912-543-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2912-530-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2920-419-0x0000000074478000-0x000000007448D000-memory.dmp

Filesize
84KB

Download
memory/2920-336-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2920-512-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2920-517-0x0000000074478000-0x000000007448D000-memory.dmp

Filesize
84KB

Download
memory/2920-344-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2920-339-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3056-123-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/3056-105-0x00000000009A0000-0x0000000000A06000-memory.dmp

Filesize
408KB

Download
memory/3056-98-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/3056-99-0x00000000009A0000-0x0000000000A06000-memory.dmp

Filesize
408KB

Download