ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014

Analysis

max time kernel
10s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
Size

1.8MB
MD5

ea85f9414cd99ea382ec4e8df89b2890
SHA1

a64d8c444a463f194b69eb6f3797fb064963f0ed
SHA256

ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014
SHA512

be0b4dc43025547c40be379023cb274b86c7a89ffb601a17965be1a949bf393eea8144d575da4203861487239328be0c57873b0615b971a2aec4e132e82706e7
SSDEEP

49152:+x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAgiLlBUKubZrX+ld:+vbjVkjjCAzJjiBSTZL+ld

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
480	Process not Found
2852	alg.exe
1952	aspnet_state.exe
1768	mscorsvw.exe
2768	mscorsvw.exe
1324	mscorsvw.exe
892	mscorsvw.exe
1008	ehRecvr.exe
700	ehsched.exe
948	elevation_service.exe
2460	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\502cf122a37835d.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\psuser.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\GoogleUpdateCore.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_am.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_da.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_de.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_hi.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_is.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\GoogleUpdateComRegisterShell64.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_pt-BR.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_lt.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ru.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ta.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\GoogleUpdateSetup.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\psuser_64.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_te.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\psmachine_64.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_bn.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_iw.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ko.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_nl.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_no.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdate.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_id.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ml.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ro.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_th.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_uk.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_zh-TW.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\GoogleUpdateSetup.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_hr.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_sr.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_en-GB.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_fil.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_fr.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_mr.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_pt-PT.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_tr.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_el.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ms.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ur.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ca.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_es.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_es-419.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_et.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_gu.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ja.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_vi.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_ar.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_fa.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\GoogleUpdateBroker.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_sl.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_bg.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_cs.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_pl.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_sv.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\GoogleUpdate.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\GoogleCrashHandler64.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_it.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_kn.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_lv.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_sk.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\goopdateres_sw.dll	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1036.tmp\GoogleCrashHandler.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2432	ehRec.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2932	ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
Token: SeShutdownPrivilege	1324	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: 33	852	EhTray.exe
Token: SeIncBasePriorityPrivilege	852	EhTray.exe
Token: SeDebugPrivilege	2432	ehRec.exe
Token: SeShutdownPrivilege	1324	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	1324	mscorsvw.exe
Token: SeShutdownPrivilege	1324	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2460	1324	mscorsvw.exe	39
PID 1324 wrote to memory of 2460	1324	mscorsvw.exe	39
PID 1324 wrote to memory of 2460	1324	mscorsvw.exe	39
PID 1324 wrote to memory of 2460	1324	mscorsvw.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe
"C:\Users\Admin\AppData\Local\Temp\ab26d2552e5c69988bb3e4fc6e10ab43572ec5daa3f83ac82cc672140c812014.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1768

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 184 -NGENProcess 260 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1ac -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1ac -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 184 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1008

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:700

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:948

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2420

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2988

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1296

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2588

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2628

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:776

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:1624

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:2816

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:852

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2296

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:788

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1984

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2740
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
448KB

MD5
ce7c46ee6bec9ffd97a28de39ff40a3b

SHA1
34339ba6f51d64fee7208a841e88741e255e0d15

SHA256
0d4b3edb9fe1a16d27297442affa2b15df40361712bc840f60b9c6aa92d8c89f

SHA512
47d3e1aa771485d560765e049aa2b8f1b8af564ba9e56b780b7969c98d7d60a3ddc058946ed908cdbbd12466ad47316009f9540eef3d57933270cb4a2cff1568

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.8MB

MD5
e02c2b5ecc63175c8c209dda8bbe1c0a

SHA1
4ffd35a4de9e4758355795b20886cd99599498ba

SHA256
48e11c7bc512061bb0a7cec8c8ee90d31907af36764b2bb59c68940901437ff6

SHA512
90616ab14e2ef53642eaf9f6e064506657ad2ebdc6e993d964618a7e8c979360e48d8f968206ed000de6efde5f8b18f7e749d1aa3b55a3b62311a1585cda4062

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0ad2d925ffc712e0e9fdfb8f62cf9654

SHA1
9bd2b790c193f254b78b0bbecb89e8a7d2ec85fc

SHA256
e794184fe1ab3dc763422cbc6b0b7b8d8ac3e440b733b47113515382b6fa1178

SHA512
28633e747c1f0b7e5e04112f40ddb12e3f8b91ddb504f6656c875881a86f221873dda91be97a57ed4052b85e5e4e61f8246a7320398c58f93c7728b709e8d52e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.1MB

MD5
e7759beb14e1bb382a73b66629c9f2c0

SHA1
22e67fdfbffceffa05c08bbb4fa31bef6f492925

SHA256
8db161e0bc721756af73a9ce064d3daeaac8fdde6a031452c9f3dc5f383d95de

SHA512
c2d78c253eda9dc64d72b2a8ede91f17d766560eb2b0ba331e1f03227a769c130cdf44e0e438fe100327ee3ec232a82f191b1f9318463bb59321ece8dc3aea2a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
343KB

MD5
b780ac392d87c04b44d1e750cdb4632f

SHA1
e24b9d6eb8929cc6a54e35edfe496d74d061b007

SHA256
14558eecedb3f83849bfe2e515609124ec0e9ef6abfc9ddd7ca88ea0412a1fa9

SHA512
079db7081b2ce862d81c76fba7221cd846d831b1e779703d9087c0bc8218c5cee1c93b6164bc44e6046ee3d4836f87ea13524ae48d07e646b82b6ac2e3b71b46

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.4MB

MD5
65e45bdc9f8b8e62b95dc4acbe1f81d0

SHA1
f0c76432c79920d76ec9c61f23d1af36222c90f1

SHA256
c2366641b45b7d8dbfca866aa828b4a00422f0cda0835a29af54a3ac662a7d63

SHA512
f2fdef7943958b9ac653ca91a24ef8e20c62d8c7329e0054bd795c01e369d7b76f2011350b4d723faed5c6ac57a27b049def515a257fd8a6e1bc24cae4a7da68

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.9MB

MD5
7496f491d83bf5c45202da1b2327f155

SHA1
8fb61f52fd606072e6a756b1f2ee940856f8c460

SHA256
523d96d13cb9091c89b9a7a3235b33152202120ef71db7a62987b0eee1ccf8b2

SHA512
5f0f2541c374469c9033df3bf5aaaf9d6fd1e6f6aa8cc0a7ae11142829c26cc198e515d4d36e1a3816f7bbe17a5153b5200cbd19e431d02e454c47d857128c27

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6981ecfd697e640771247b6fccf8e87c

SHA1
a90c65819e4d380f04baff231754c906c5d72c1d

SHA256
1a98ae8e728e5be2c30b9ea3d90107360dee9a2f5b7f8f1d9b5dc402ca2b11ac

SHA512
e7e4360395fe59c52f35ab38cd775644eef37724a62dd4eb7088ade6037409b67f090f6f14046560c011d311597aa9aae226905b8b12337ed8bd7435a91dbfab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
821KB

MD5
370ee6fedd069e07706a8b340abf4ca3

SHA1
acc5651022f99127aed70b134d3e487908c29353

SHA256
9cbe8d6d40e444ee76814f852fdba0960dab871679ce905cfbd09c2cbc19bda5

SHA512
d3855248a0d1f30bc0ed847c6558020410134ff7e2ab1fc853dcbcb5912fceab7393fdf5080e30e1abd31d9bbdb9d3d20c884830d4720a92099c39a4d1e78ae0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
209KB

MD5
eb1a61d718ee6ac2e78d1712252b4a46

SHA1
cf81f92ce4450c705072cb298ce4e0304e8c130f

SHA256
caeb33011718f3d6c78df49bc0208e216fcee0a607b1ea00b912805b757682b8

SHA512
dbfad9b00863d918887ff4780cb6d80f92e6e4a5fb3bd57392f0ef54b3a61d9e5a1ce1819511085d18e47bd943e0f2760c873608e80fd89cb5dee8f8e94f7b0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
1a551088ef78de39d3d3fd11da21fd60

SHA1
91dfe7a8b7c0c12a7482b69cd025fd5c5e56a0f9

SHA256
5a637ae2ef0ac11f53eb46a26cdf467c7210f2e4ac266e3e109f4e13ac284bf9

SHA512
888589511ceaea7e821f4550aa945b40a02d6af78230c2ba14b61c0a2cd90a717f6b2c08389e499284d2e14d5d90cd0e50111c8a72c0870a4f3294f89db753b6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
a9f92fa491ee76d1c0d5cbee8b678b1f

SHA1
656eab2e20898a90a256b5a956b71ad15fc26145

SHA256
d141b4e8ee94dc8b9d88b18f4888231e1a51598681c46ade8751b84dbb5f1ef6

SHA512
9d10fb6c94f99218fb7a566a50d703f991d30a20c25e419c378e0d902485ab08266f12011a08e4b8b1288cea94ae5f7c72406104a97e34bc03a63d7bfe4563dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
992KB

MD5
d792fe37d90e587c4369ee7755ee28ce

SHA1
d89c943d170f0333a84501d1ff34bc721fc95677

SHA256
f4f449b26f32da1e2c0fc5906192585b4e0a207207f8c357da18ca848440e9da

SHA512
7ab0d186cf3632d03a2822e9a37337bec537740089dcf54238d2d44052b07d732e8e326f4c7e396ff753c40cc2b4c97d8b02291f5f8f8a886d90fd74efcc37fb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
516KB

MD5
1299f7e6fee11f97dad3d5e6b668e15f

SHA1
809f62f5d732f048f554006ead4ec9d59d748ee5

SHA256
c4e272e83698f61380d0c776e5f2e7d72c252563071a7678b447e936fd607d6d

SHA512
c64e9393640fbe2bb9046a8e4aa76a2c4654ecdc34620551ebf2c714b5c38ce79c3b861682c4bdfe0cb8b9779c44a6bf8b62e1184d597ae4bea482fa4d60fa90

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
fb2781a3b1cda7089f8646ae496faf49

SHA1
0f190eab6f6952288813dbc81645fcad92152e05

SHA256
bc00948d25be1caf592c29caec59ed7ffece0ee950eae1b4f26f76a273f516b3

SHA512
e1b0bbed7e0e8a8816d1ef4c8ed291522651b71b38f4d10a902cc1e771b571a1fc082e5e14be8fa8758935d8ee017449a6d78e72734ec02ca432cb304d581851

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
563KB

MD5
9dd772e5f5475602de8da574a7f48a09

SHA1
6b8d73c6c86a011419ae1758a2e850f98eef07f8

SHA256
2e2385e222c7f5acf004154c05eb6eb369ab847df3a2d9d4f4418ab80523f005

SHA512
565b73723140a24f58615424a79bc62e260d4f543181b2dcc4782bd4fdfb98a557b56ca5653c6bd8e2a5a6451598ef9fe184cca80936a2671bb92cb9a7a7298c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
239KB

MD5
2322f78e48c51b994cfda33859c52bb1

SHA1
860cec1640ac361ebe09fc487ac8b24fc9afa7aa

SHA256
a6d21c5be99ee1219b30d2eaeaaef6485ff21e03899d93514d4de879dad04801

SHA512
061cd88fd96c38590c9f3fd69d430caeda5276ba5fec93bae0f10b163b2e831125c2f0898973c656951ee1da597f6580b1d8f5f41c16eb5963c994a214caba1d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
dba4c44860d5a77bb3d0ebbfe37bfd7f

SHA1
08d93a76a5998e40f788fc9160216dfa8ec384e7

SHA256
ada05e301e735b3e4c6c5a8be88b78743c47182de8f1b186803f76d07fddee70

SHA512
d4f6bb78e0f994682ad4c63ae52d93aee91db58ab1d35d5aace149f7b8dc6c644c94896f865af5a0bf55beb55dc6ba4cb5342fa71af966c206e00aa94cdbe280

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
900KB

MD5
88f06436afad153380388bc9b1df7489

SHA1
b8803a2bee8fc5fba5b1ac8daaa28478332ec3b5

SHA256
edc0a633d8797f039b23eaaa780e2802f78baae489a194ef7466dd4202d5620d

SHA512
1068803a4a5855ef802f1de15e759c05616261124093a8e9fa530991367b48fda8bd6f19899e08248e2d8cc86e52d63d61b36206624611ef1e714a7a14b3f97b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
d1376af350d226f28ac85c1cc5e262d0

SHA1
cc9583621d0752f3f65922e4093aeaee4c8567a9

SHA256
bc72ec6db9c4f3e41ac099838a505baac272a04dc18b648479d89d0c1b4b34f0

SHA512
df2de136080fc207dc9b23a60a7d6c82c5c6ff4013e83c2aab0a0aab2ec8794059198ab5018244f64170ab65b282d7275c37d2f5d2e731460feeafefa12152ef

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
156b13e93edcf154083f9cb7c36c9e52

SHA1
f15d80daa143001e5741b1380ebb26bf4d8bb2e7

SHA256
e59b89260231d3e6992993948bf7a2b65a32dbcc8a8140e7527c9f21072b40b3

SHA512
30872621c4bf90bb96f11b9185d2cc1579a7bf78f91ba9a2bdada2edb66186e4655f43ed752aa93b30b4e0d765a1f5db96f954577c9b2856d952e9df1adbdba3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1024KB

MD5
e9bbae002f0ceb9256d17a65740a30b1

SHA1
449a8e78cdb28b5e3911a57df13749aac3c9197f

SHA256
38f4d76cb4759fb11a0258a70be5da00a954bcba99bea764e6dc51873264003f

SHA512
a1ed0afd2fca5d29277da7e5fcd79858799fbbd6675a4f2ad0663d0f6c7860d394c326b88b81a028081c6ec1774c4b46c1397295d20919ddfd78e0257923b3d3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
768KB

MD5
f18a0d54ca3f88dfbcf3cc6893df4188

SHA1
3e65fbfd9a260816d3508a5744c090fe0bb92059

SHA256
dc07eca8f54145a90c0abd99b2dd9865bfe94716b4a3cca9363b977601916c4c

SHA512
85b65931ad54e638abc5033ef5f93e5d0ff29ac5f3472f06ff144f0bcbc24657dc7f54f8c6095fb9819a6ce04e89e55fc14f686d124bc12aa7ab27873b947dda

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
960KB

MD5
9a1a3740e3f3a8a3fb4a6bf555e59f74

SHA1
994771d40b921db03a52952902ee90f7187816d4

SHA256
df3f9f2f03d5a9adc836d0f50870c80f379b2e7aee505949d3b78eb5448383bd

SHA512
9b09638bb23a23a35421e4a3a4d67ee1668d6ba2bca040963b37989cf64836a716289769614b9c3fa4fece3cc8f7fd113d766b5a6ead5fa2cb8ec68b122e5ef7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
576KB

MD5
c34122b4278c900249a3ecf221e6928b

SHA1
a1ce021413627b54d0da204727a85af53bd74999

SHA256
5428bc194800483090a40a1aeb63ab0fbfc69e29adac5c2e51dc2354a56081e1

SHA512
d97d5d4649136283f91eacafd2893fac21ba9f6c9283a6bf2c5f446c9a535ffaf2daf98101f0fe45cb45ee866f83b4b51dbc4933df7fdf3f1875f5ba6e2a9cd7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.9MB

MD5
fd9e2ce9a77bd65e6d240acfd8f8de9f

SHA1
396db596674f82f1cdf1925a024fff3676090593

SHA256
5754402d3d3c0f7d474316398970adee24521c938abba2c81d815844ae74feab

SHA512
3a6fb7c83b0326776b5fc91a1e18b2d187f29d8232cec676c810294a98c31a39edc3123b0dd16440b2e8aa988afb3d43d49131de43839c425c23175ccc100267

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
bf98932fdcf5a97e2813bc985f0f8547

SHA1
371de69497b8098468caf995b588f6f3e224e458

SHA256
c48c3371b710853311eb2c1c9162f221b6d6056db2b043571c537e213daca68e

SHA512
db0d0a20aaac964dc7c596f230893a914e24146ff06c49f0adc627204cca89360a9ed0e5c7cc790a299ef00851c14940176e4071feb04ba654e7893dc1ed7eec

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
f49d8934a3b28cb104312131282c657b

SHA1
d0670189d0a9e2408bc369037f6a40cb979101e2

SHA256
473da95d19aaa02ebb9dc14975eb4f9cb3b0bb9669df266784fa10340c9f9995

SHA512
69ae2fff031d1621dba5b6be9cd0ae4f0a724b2d55f7717448e9bbb5b430823ee8da7239be26afe2309f6b01fd6ae640c7dc35437cd90e0de495b85621ece36b

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
960KB

MD5
b89c812b656a2039f9065b67230b75d4

SHA1
15dd5033d14cdafcb81202de8d67cb75bb26cbd2

SHA256
fe2608b2ca88fd65d57aa2e77024564eb415a001e114c6ab5d25d39e00b50626

SHA512
b44aadb1fcf2114b50faed581ca25dc3b297765c2144dd9cce358ea09559a8da77dfdff6a71fa02b198f91fc9eb789642640a382a14be37ed0dc94fa943cc7d8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a9bf9b048ada5a5a503871f7432a3096

SHA1
bb6e68c4b17316adac54fa71c0eb594f41485bc0

SHA256
53ce05f14ab3e029fdf8c685ced24f927eb6470c59a54b03d0500c9a6e85d3b2

SHA512
9640c6c5086e64f8ceea85183733e5adfa69ee374cfa3a8e90d286195a6adb5dfde968fc086cf83fb7a0591d6555c91e088559f18306971e6f851ff5626e52c2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6a70e6b31c16fba6d66aa9eab2562491

SHA1
11024e4264ddd75aeed563cf1ed11c04936928c1

SHA256
9cce8449851ca7e980af6b83fa13d690877055cd80497bf02816f33d9c7c6d99

SHA512
1edb6ffc628c3a036d645633a34b100efb4a11566f3f2bb8ee1da8dd710a69215050e0ce91e60a09b1d9d2f450236a1292d85625af90cdff5d45b7c6c8f1d1c8

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
669KB

MD5
063e29ab6d34d5e6c8991799c0080060

SHA1
ab5e1e8b2fbce2f9ab363b84944c21de726733ae

SHA256
9e23f69f8f5510b03d6e2f8d3962ba5fa6b5d60d291e49144adb94d1b513df77

SHA512
838e202db1fc94497cc27007681722e5264cf30aef7fcbf7a83664ecc2aa6790511ac84b154a76fec6d17d1ebed092fd7a070e8d9f34240d246cc5be48b22185

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
629KB

MD5
096156bc6272e84e1c53a0f8c7000439

SHA1
0013f87035823447081b30d29e5c6702e8de1087

SHA256
d600b300d4e16be3b1febb423c2431c57b73cfa992ebcfe0ef2963dbebf50aae

SHA512
d1cb1fa2b98bc92a998a14df609758d61a55067c4637419df84c8e3a0cc1da7b7ad81ba0c99334cbf944ae3cb8585a59c41f2a05f4a3d9e06ac21cb8a61c45e8

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
8e724480dc2892e6591bdd2d47d7dcfe

SHA1
ef8f3629dff76c5284c6a84308b09b332725198d

SHA256
0a57d6a6c5e0db7314107a2904a752e04b07c90d923ade6562b2eb1618a976a3

SHA512
7f4b06e5350bc6a040c62b6ec2f9aaff073e207559277064a3157aa01d0a053829beb3fe14e464ec5a92a91b5dd174e0b1f365ff65e6476b361e045ad273158d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
608b2fa5b07450e8ee3cd945a547a25a

SHA1
bb7835156a82320850fc89f0e875258384ae146a

SHA256
e3c11195244f2680c6ec7df40e9eaf40057c08b2069eb1746236bff209857064

SHA512
11eb133b943d7488e2a4642877caa0b4ed5f856d193c6ebf5a5c62e1155bbe55b441d8b6d524d6e4124bdefdc06e75ae58a69a5dbb143540897ad36c9aa62131

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
e05395a368a46e6db1368fb06021126e

SHA1
6f77b3d4a9fd8731c076d3a596fb3698fd3cd350

SHA256
75f8e072a94cb9e8b7599058b46c3073c0f5ce018210e42a4d12f6887e1f2c9d

SHA512
9d787010f0d4efc89d06aa67410939c036096196167fc4edaacf354b788658e08be99e129f35d17b78e073eaee59e80299b979cfcfabf3c3fc5b727f8fe36451

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
548KB

MD5
7bbd1b938ea0d68ccc634d62c2bc4517

SHA1
e75ae2311bce518fdb5756acb577e48424e82779

SHA256
fd3e97b17f7dac95f13717cfae42eaf2fa82e7cddeb2549e1fe9dfbc39d6cc98

SHA512
c0b3d6ab966c23dc647e459459e17bf275b604862746dc525e4246bda890498925c25bf3a315654d9c733d9eec6c144fb60181e3e572729d86d768d21475b693

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d51ea095c3e1e60125c061b3ff906de9

SHA1
cc9d434c6a7d571a2e5429f77fb407ac844db01b

SHA256
c07135d2f4e6f5eff5776a711f4a62c5f81ff9d3edd05e34f6428f2f8c5c097a

SHA512
97598081497213708c660938c7d87ae4f580a97477d68877a59ff534cf993c71152a5263f128b8f96081b14530f26b8b8cf9cb60d8a6b5dad4b2030be0a69e97

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1a756e9e902ac941bbd8d9e28b80f908

SHA1
4f075203af641c57b6e81e5d024083a5761dbb9e

SHA256
7fe12ff7425218fc3c00db69accd8178f1f4360fa0c3352d9990cb25a22dfb5d

SHA512
34a2a9a0edbb6fbd20f61ef06b503d8fba0421f63a5e36bbb62a43f369078b6d727f1e44666a33e6faef6d625605904336654b535cb7efce8a46316d4cadd5c6

Download Submit
\Windows\System32\dllhost.exe

Filesize
128KB

MD5
380b543b4c8d36a6284c16f58b16fe9d

SHA1
649db5587d511ae5af55aecc2ca9a442396a31e6

SHA256
0a673be6530c56093e702c9ca9d24581675899f283b9f5752e718a816bdb7214

SHA512
2fcd0ae6d5035d7f6266bbea77926cf010af7c7dfbbba19df71613a1d0ffdf0586ac3ab31b6caf574473c7e8bda594177bca511a00d8ba268f9df1763b8d0f95

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
feb57a29d9004d0dc7cfcde1bfb1ac21

SHA1
3d360f9c199f241e56e1660f4c688e74232c6dbf

SHA256
707aa7272f4bd9ea78347e2973c6b29e2cab57b5db914c7eea8615635b96dab9

SHA512
5aed4524f6b5f5e2a02ac3f9ace24020062dd1d6644087b178961a109cee90cb754452d335f5036b349689f3b845b853fd1cf87a45b36947f66d59139db68c07

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
dbf318ab15f3850971de660bb84ae51c

SHA1
28a5c3ce108a0d995087a6fda3cc879ba8a67b83

SHA256
bdf216979eac550b930a5741538dbb219f80e12913cb12d6547c8b8d62d9aeb7

SHA512
d217ad81f2763dcb88568d951e9fd1fd58b77c9ff5e8924140759e6751ed9236d13054e74d16145f698afa41ec78b497e557ff6af2dca4a736c45346f7e92985

Download Submit
\Windows\System32\snmptrap.exe

Filesize
192KB

MD5
d11ab608034e52b514a0bd1d6f4b26d7

SHA1
dd609adf91221aa9b22b5db2342c41aa8388c6fc

SHA256
2cc1c4e68e8293c3d5ad67a1518c75de1cef6a1637ce529c8e2420bdd5c2d536

SHA512
f11b13bc315c439769a3c85c22d0fcfe538a7b88ce8b54e09a7041b9d4ee8fd427f0ec11686c379a8da5d848995d1f2400a4f3fe1a50e792b02ff8b1754446ce

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
73856bda9e2d7068218e376ccf43a2b1

SHA1
ede9826d2c4757bcec6c14da82a586dacd1d10ae

SHA256
3c93d64a619f3de6e255fde84ebff17a222f066d351b7b976bc24dcfe5af7a43

SHA512
588ccfeb61206645ae398c393786131cfb3c6829b42c00a8a5f8786e4dcc9e8d9d1b7f094eb8ed514aafdc9b97067017d626a1ccba522bcc38820cefb5428116

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
a24be3c89880db84b9175a60bfb57dfc

SHA1
f0de0733a017913280b2d72332e070256fabc0ea

SHA256
02917b6000eac0150274843fcf98a4dc3c4226472834a20365715f0c8ae1b04b

SHA512
354fc64e5457352034d5074610097b7d66af0d8f917591ef8a385f5557f87a8a086c7454aea410e775622efd7c78595fb9ef42d743a821215467365431cf58f8

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ba0334fe36e02b89fa4661077c32bfb8

SHA1
702068dd0c2b0df3954276a69c3edbe8f1974bcf

SHA256
d0d39894a6f5e12db3f316a9b38fe78eb85e4300f8db8d585d0906e9285ef7e8

SHA512
9ac4f244e060e5702f8bb31c2c711cd714b4a8e267f966925d7ad8f7f47ffdb6b4893746d1788ff631015e47579841808de0026abf9162ec49b40a3fbb70c763

Download Submit
\Windows\ehome\ehsched.exe

Filesize
316KB

MD5
2250ceb2196e3b65a2a1add10c2533ea

SHA1
81fa857d804bc2841bfd9e3a8146d5bb41b676f0

SHA256
756c7829b58e18a8f69a40b291566fdd151306dae88519d4d20a11773439ba74

SHA512
73e3b00a54304798967ed9760f64aa961d82512557ce5e0c3892eb65471e34f05133092eda83569df7c94b30f8ecd0e41d6dc5d705e76da0d80a00f3bb6b75cb

Download Submit
memory/700-378-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/700-200-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/700-201-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/700-376-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/700-310-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/892-167-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/892-218-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/892-166-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/892-159-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/948-330-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/948-212-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1008-207-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1008-179-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1008-182-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1008-187-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1008-304-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1324-144-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1324-145-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/1324-151-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/1324-213-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-403-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-362-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-356-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1728-351-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1768-113-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1768-106-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1768-141-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1768-107-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1952-102-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1952-180-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1952-96-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1952-95-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2224-371-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2224-365-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2224-373-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2320-395-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2320-405-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2420-383-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2420-388-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2432-345-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-220-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2432-214-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-215-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2432-216-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-339-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-340-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2432-219-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2432-342-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/2460-311-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-307-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/2460-299-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2460-324-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2460-325-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-341-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2692-333-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2692-343-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-358-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2692-359-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-173-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2768-130-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2768-124-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2768-123-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2852-41-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2852-13-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2852-17-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2852-160-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2932-293-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2932-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2932-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2932-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2932-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2932-2-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3000-364-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3000-321-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/3000-372-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-326-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-314-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download