404dbe9d744cae49fd3f251e91bab5132b9761e185806869cf4be1aae3061daf

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
Size

1.1MB
MD5

9cdfd69f4cc4da52f453e48e0955666a
SHA1

956adfa715497ba5673d50c96e50ef70b8d17b5f
SHA256

404dbe9d744cae49fd3f251e91bab5132b9761e185806869cf4be1aae3061daf
SHA512

e37bbf96def79dd06dd410ee79e1574411be004bb455231af183ab365c3a6f2fe84f2d709bd8fb345e766ffdb7666769bbd347614e402ddbd503a2573d044d80
SSDEEP

24576:GSi1SoCU5qJSr1eWPSCsP0MugC6eT+t/sBlDqgZQd6XKtiMJYiPU:WS7PLjeTU/snji6attJM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
472	Process not Found
3000	alg.exe
2860	aspnet_state.exe
2716	mscorsvw.exe
2588	mscorsvw.exe
1064	mscorsvw.exe
2508	mscorsvw.exe
1644	ehRecvr.exe
452	ehsched.exe
1628	elevation_service.exe
2084	GROOVE.EXE
1420	mscorsvw.exe
1488	maintenanceservice.exe
1072	mscorsvw.exe
2100	OSE.EXE
1740	OSPPSVC.EXE
2928	mscorsvw.exe
2096	mscorsvw.exe
1116	mscorsvw.exe
1276	mscorsvw.exe
2472	mscorsvw.exe
2836	mscorsvw.exe
2004	mscorsvw.exe
2420	mscorsvw.exe
1136	mscorsvw.exe
1012	mscorsvw.exe
2008	mscorsvw.exe
2988	mscorsvw.exe
2852	mscorsvw.exe
368	mscorsvw.exe
1276	mscorsvw.exe
2472	mscorsvw.exe
2596	mscorsvw.exe
2380	mscorsvw.exe
828	mscorsvw.exe
1508	mscorsvw.exe
2156	mscorsvw.exe
1556	mscorsvw.exe
3064	mscorsvw.exe
1964	dllhost.exe
3048	mscorsvw.exe
1176	mscorsvw.exe
3008	mscorsvw.exe
2856	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a93dbaa75465f8f4.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B262F552-36A4-4AFD-A8FD-D1AE5D349D55}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4BFB185D-74B4-4D5E-9790-D9902695636A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4BFB185D-74B4-4D5E-9790-D9902695636A}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2228	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1964	2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: 33	2456	EhTray.exe
Token: SeIncBasePriorityPrivilege	2456	EhTray.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeDebugPrivilege	2228	ehRec.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: 33	2456	EhTray.exe
Token: SeIncBasePriorityPrivilege	2456	EhTray.exe
Token: SeDebugPrivilege	3000	alg.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeDebugPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1064	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2456	EhTray.exe
2456	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2456	EhTray.exe
2456	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1420	2508	mscorsvw.exe	40
PID 2508 wrote to memory of 1420	2508	mscorsvw.exe	40
PID 2508 wrote to memory of 1420	2508	mscorsvw.exe	40
PID 2508 wrote to memory of 1072	2508	mscorsvw.exe	42
PID 2508 wrote to memory of 1072	2508	mscorsvw.exe	42
PID 2508 wrote to memory of 1072	2508	mscorsvw.exe	42
PID 1064 wrote to memory of 2928	1064	mscorsvw.exe	45
PID 1064 wrote to memory of 2928	1064	mscorsvw.exe	45
PID 1064 wrote to memory of 2928	1064	mscorsvw.exe	45
PID 1064 wrote to memory of 2928	1064	mscorsvw.exe	45
PID 1064 wrote to memory of 2096	1064	mscorsvw.exe	46
PID 1064 wrote to memory of 2096	1064	mscorsvw.exe	46
PID 1064 wrote to memory of 2096	1064	mscorsvw.exe	46
PID 1064 wrote to memory of 2096	1064	mscorsvw.exe	46
PID 1064 wrote to memory of 1116	1064	mscorsvw.exe	47
PID 1064 wrote to memory of 1116	1064	mscorsvw.exe	47
PID 1064 wrote to memory of 1116	1064	mscorsvw.exe	47
PID 1064 wrote to memory of 1116	1064	mscorsvw.exe	47
PID 1064 wrote to memory of 1276	1064	mscorsvw.exe	48
PID 1064 wrote to memory of 1276	1064	mscorsvw.exe	48
PID 1064 wrote to memory of 1276	1064	mscorsvw.exe	48
PID 1064 wrote to memory of 1276	1064	mscorsvw.exe	48
PID 1064 wrote to memory of 2472	1064	mscorsvw.exe	49
PID 1064 wrote to memory of 2472	1064	mscorsvw.exe	49
PID 1064 wrote to memory of 2472	1064	mscorsvw.exe	49
PID 1064 wrote to memory of 2472	1064	mscorsvw.exe	49
PID 1064 wrote to memory of 2836	1064	mscorsvw.exe	50
PID 1064 wrote to memory of 2836	1064	mscorsvw.exe	50
PID 1064 wrote to memory of 2836	1064	mscorsvw.exe	50
PID 1064 wrote to memory of 2836	1064	mscorsvw.exe	50
PID 1064 wrote to memory of 2004	1064	mscorsvw.exe	51
PID 1064 wrote to memory of 2004	1064	mscorsvw.exe	51
PID 1064 wrote to memory of 2004	1064	mscorsvw.exe	51
PID 1064 wrote to memory of 2004	1064	mscorsvw.exe	51
PID 1064 wrote to memory of 2420	1064	mscorsvw.exe	54
PID 1064 wrote to memory of 2420	1064	mscorsvw.exe	54
PID 1064 wrote to memory of 2420	1064	mscorsvw.exe	54
PID 1064 wrote to memory of 2420	1064	mscorsvw.exe	54
PID 1064 wrote to memory of 1136	1064	mscorsvw.exe	55
PID 1064 wrote to memory of 1136	1064	mscorsvw.exe	55
PID 1064 wrote to memory of 1136	1064	mscorsvw.exe	55
PID 1064 wrote to memory of 1136	1064	mscorsvw.exe	55
PID 1064 wrote to memory of 1012	1064	mscorsvw.exe	56
PID 1064 wrote to memory of 1012	1064	mscorsvw.exe	56
PID 1064 wrote to memory of 1012	1064	mscorsvw.exe	56
PID 1064 wrote to memory of 1012	1064	mscorsvw.exe	56
PID 1064 wrote to memory of 2008	1064	mscorsvw.exe	57
PID 1064 wrote to memory of 2008	1064	mscorsvw.exe	57
PID 1064 wrote to memory of 2008	1064	mscorsvw.exe	57
PID 1064 wrote to memory of 2008	1064	mscorsvw.exe	57
PID 1064 wrote to memory of 2988	1064	mscorsvw.exe	58
PID 1064 wrote to memory of 2988	1064	mscorsvw.exe	58
PID 1064 wrote to memory of 2988	1064	mscorsvw.exe	58
PID 1064 wrote to memory of 2988	1064	mscorsvw.exe	58
PID 1064 wrote to memory of 2852	1064	mscorsvw.exe	59
PID 1064 wrote to memory of 2852	1064	mscorsvw.exe	59
PID 1064 wrote to memory of 2852	1064	mscorsvw.exe	59
PID 1064 wrote to memory of 2852	1064	mscorsvw.exe	59
PID 1064 wrote to memory of 368	1064	mscorsvw.exe	60
PID 1064 wrote to memory of 368	1064	mscorsvw.exe	60
PID 1064 wrote to memory of 368	1064	mscorsvw.exe	60
PID 1064 wrote to memory of 368	1064	mscorsvw.exe	60
PID 1064 wrote to memory of 1276	1064	mscorsvw.exe	61
PID 1064 wrote to memory of 1276	1064	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_9cdfd69f4cc4da52f453e48e0955666a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2716

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1e8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 260 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 250 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 268 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 280 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 258 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 268 -NGENProcess 250 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1e0 -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 298 -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 1e0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2ac -NGENProcess 260 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 158 -InterruptEvent 1a0 -NGENProcess 180 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 1fc -NGENProcess 1ec -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 204 -NGENProcess 1d4 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 1a0 -NGENProcess 20c -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1644

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2456

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2084

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1488

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2100

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1740

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
764f71e628beb44f32b335812d15ab27

SHA1
ee83877425e91f037b06087ab96b183329d618fa

SHA256
8480aa3454ff568c474702bdb10ad352019e216ed58b2910f03c58792582ccf2

SHA512
6cc818e9e268cc61d0af69e871844cf9112f6b4f5b4303e4a29a8d9b2a5a58aa4e5a04cb17f4039f780f87808f53c65c7ff42e292a220ad77b814c8e2a49942f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
f51f5293e3f24b4901496287d1f51145

SHA1
13dacda3aaa9fa962c095fb34e4867c8bd8bfa6c

SHA256
8e8ac603a81c68b2e1b71c0045d2be53a56fb9919ad277cb6935ad7d1b3fbfa1

SHA512
26f08efdefa7abadf6e0e149212e5125de6b3232e573c547465af1feb0145b5c5bbe3a9fc44d267dc65ce72c256e657a60072de30c07eb620061a4ea9b3a8427

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
09a273c3d0e867c016737e769b1827b0

SHA1
6b6d4a8cd9d4fc74c616e0a2200c4c7e75d7ad67

SHA256
9c025a2a9057e45fb269e78e981aaefe919bac088a337b336e6d90e0b2d4fcd6

SHA512
74e4a73cc539d6fc82e56a781b9290f3030d3a321d431fa201e4bd7df82d87a9a0239b2120d42439b74b5e48a2b285b0c507562a1e908033c424b8135bed8483

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
172672b9abe8cf1e8573828377b82c21

SHA1
723c2ef1d7926715e0cdda58fd00e8fd65800122

SHA256
45c4acffb2ff3589a27eb5aa0363ba1855ed71dec1e0817d4abe76df598ab3f5

SHA512
b691690982cf68bdcb8fe947dbb373389eddd361ef6b711412203cbaa24f1161502dddc9e0515d760cec8516606bc002836d6323689af66e81b547f748646b48

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
97b606567c1f7c43fddd371e966230d0

SHA1
9aaac35f3e37a5394236da1f380219201437d71e

SHA256
0bc8565a47b66d711df983326fc284bd8d40102e1762686c19e82e1216a0f68d

SHA512
2fb0c36ffa45a0a8814976e651093294e9f503eb3cd00a283e88ce119ad7353d17554059e2c921c370b77d94ccec46b39858b31e039d04a974e8da95bf30daaa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.7MB

MD5
4bc2ee2600d329c3faa285be6a2b8287

SHA1
dacf21a8d3f5307f8c44b4cddc6619ed9d57c5aa

SHA256
37d98b05e0f3636444a0dcd055a1a6fbfffdfd61d9a774594630c63cc5029622

SHA512
fdb7deaafe58d5bcf9d874f946e23a468aed837ca57454b398c80a10b82e100e682f3f2c1a2732dd737d76721a584a6e8cb0d84caa68a901e27e81b17f1461d2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
70bb8f30b2bc6a0ee00c0ff8222362fc

SHA1
ce64a31cc80d08f7ea4c456394be25f3f58ec08c

SHA256
b5c2442d566efdf3605c0f066432bddde8086bcc9e561724cb5aa6e47087bd96

SHA512
3055f06ff52b696d1f491255503d53cf110d0d71a9bfac9e9624ea05cdeb2afbf6c1fdedbde881a03cae78c3fd0086b74ef3bc6a4d3e5f67da3f832eb6b8a370

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f0229ca48cacfef2f696467b885dcd1b

SHA1
9bf8caeac13446f5d5ff860e090db129909c637b

SHA256
aa4ce0dd3ab9fb27bb81393ffd1d3c82f164c4e2dff936ad03657aa38d53eb8b

SHA512
840c15e10f084d6e0d21af7e14c3dc07202828b682352a77b3664f2c1f6e7d08ad6637a2787ea9d41270b82366c948658976f2e19870aadf1ce4042b4ead6302

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
47732dd74037aab2f685d5574772d39e

SHA1
00c7871c5e91c10f1185cbde49efa415494cf9e8

SHA256
45741060f80c77cd2715c3e4c3d06cb6f3fb8363b30e996c68c243f053048d28

SHA512
bc9cbaa5bff006513aafce2427cd8af45a8cda19fa4d675fde56295b481c860b93c1c1083a5d3a027af4b7152616e0326b08dcba0e9c2112ae6129c268eb0a5e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c266803255de5364bd7424621b698f33

SHA1
5b335b3d7e2ad9dc98bd407772bbafc0ba54fff1

SHA256
236ed933aa659961954ee6413fc08bb65dbf12aacdabf5dd86ccf4184b938d3d

SHA512
29ba26beacd6cce538c8643d0933f8ac8c5cad3b35f806a0802c344dbde59cc8ae5e0f65615d904ffcf220e1ac797abbbef84e83e7cf0e95f2482238f746f355

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
bd326900d4d050e033b209d38ebaa465

SHA1
cd9ac9bbbe650844b743b30f27e791ddf768c8d0

SHA256
61cc82a1f7cc8fc0ef0c69c75722520a88b0f6f5d18005c98edf5c39eebfad42

SHA512
d622c651e1e37dab3648d36eae86511c19bf68ed83dab6fde4e1dff3f267cf662b596250f30d7a2ae5ef2856d5ce35b501b550d422d1febb32929091e491cd67

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.9MB

MD5
a7029130284cf7c7e7ddc5bd42d2c3bf

SHA1
5f87ea7f3bdc49fe53764666ed513d87901c224e

SHA256
b5c9c2ad7cbeb114427393bbc3a1b008266dae9ce74e6de8bb35804f05149f38

SHA512
ba7b5c64ad69130559b506d9f65cc1c972b18e070d64308ce0e8d6d17bf7ec508d36919156494d135444d929b216907aeccb8d10521931bea66ef8fb800e00ef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
58a7669130042ae731913915a955f861

SHA1
3004b2d681fe8debce39d97ffeaf12be19db66f1

SHA256
77f197ec3f9d744882703506debab07e3addc746bd5aabd5f066ff6afd7cbd1d

SHA512
b7470dfd512407856fd362a4583f48c11585b6d40edaebdbbd014ab1c707ee59816ab0aeb92433c27475a39f93f1900e2286cbf6941eb8b2b02cc5040708cf54

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.6MB

MD5
60280f8c27b712b403aa2964a399a31d

SHA1
545acc585f073eca78bd6299739cafff935de76f

SHA256
3415a709533b711b74eba1f99c1fec789ff4cc31fc876f87625bc1ecb812ac3c

SHA512
46ce2d8176a72cbee194b07e94c9606436b43cc7956f91ca4f9e1f25f711d71640255981680ddde5df3a211e30baeacbb9a82a9bee6b3474969fc343c9b4b686

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0199721b7da183748084dcb8556a7fb0

SHA1
f6f137ad9fcfa9c804179ed0d3d8306da2ccd4f4

SHA256
bf3fc562cdb6b23e781ede1c21be8b455970f7bbe3a7227ca8e9acfafbb23663

SHA512
220113dfcfe219fe19719e74f1724135d08da6182ed9a46db87f0fa667cf83c3be987814c7dcb26aaf0d3199839a33b194d0ff4b0f810a9d147f753b82a966ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4ca4b94679db37a41a981800019233de

SHA1
38743dbea722d2a18d15c350aa70cc42c16529f8

SHA256
02900a6f656ec483184c68aa641ca147afc573b6b81b36c2e023abebe5b74bf1

SHA512
4508bd706328f5e535d76ba7c9f6b853c5b579cef15c61416b7db98a738b282f86177a7671fa4460d0f23cf48333e6ff0c5048129faa5d959a7693894da3bcfe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
0a75c12203978b65228733c4fa31c2ba

SHA1
692f6f3876597b0c50b2e0c09f56daec97670b48

SHA256
40a5a201e08df6453f46841e427dafd5de1ee5f5b6393478598c976d3f8355ee

SHA512
48b153205de74df7acae1dab4c26fd2280538016efa15e1805a4e7929ae27ded87cf1cf943e9ed1700cdc8ce0e04017373bb68263a757177e787056bee1e035f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e00d0f89a6964cead448f5c2634a4e91

SHA1
ce5d0aa75fa366510e4a5ef5249db0a7c00ceff9

SHA256
d62c4f85c5c6d86476102397d4c7430ab5ee01e7a8e4c754946bd1060aac840f

SHA512
de2b200a097893e3654887a22f2cd26fd4bc859c8031bf43f4f9eff9d8c0e619ec6f0f844c140bf6ef2d7d9e033b31b98fa78955e6be3264356d091a55bef5e6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
503ae7d04c30204931bf8f39b0a3077d

SHA1
8c6d37ed8137836739f26758bfff1bd7039d388c

SHA256
9cff2e52728a5a731ad40dcf65bfd9b8f77f886389ae73e8653e228660a04aba

SHA512
a1223807b0430d42c293b336f9890824e0fd6e3aed1d06205bd811099488c8e70c8482d997a13a53f25322643aa91b3d0e6700297425ea22ab303c2fb2a1315a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
2d7c8104a93b86cf606a93e97dfc678c

SHA1
adb2f95ce440468f17884505f597b5bce0f935fa

SHA256
8e5ca4270525ba557538b2afd5019479d806903f4a5e6aaf8da884d8ef1e3194

SHA512
d138f093dc8f506da4abbb9cd70563170b668ab47d52c3567f9f5658b4ba3189efd9e7db692da8ac22f1546ec23d65c036c0899f656bf2b20a3962f2632b1570

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
136e080541d06da93df797993f513165

SHA1
fbe25001cd2da3024d86a8b7a9e8aec0305dbbf7

SHA256
244c80f429f2a9ed4b1b828edbe3d168b7afe462da9d4a5710770434aa847884

SHA512
d3b6d6ac35b86c3ce3d4f4ffeabc36069c7d2cc11f04c7a1c8de9a26a19b96b2f3c76458920f74cb85b3775d8296744558e6eb1ddbc38fb448dc1313e984f1a1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
37184541a319ec13ea0d780fab77d56f

SHA1
003ebbfc7d87f46c32717d11d90d3a7f50e74ca2

SHA256
6aed2ce374d83222901aff47f615f39d38283df5defb162698ca23a46abe330a

SHA512
3c9afbc335733337ca400cedd21388e4ccc26a9a660ef7fc75d81a95f3286ce10edfb5d3d001cacca109b948136ddae2e57f19ff1d9672cc7ae3ca495cde1e89

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
bc15708f22b3526007fa91db3b998d81

SHA1
41bfaa5cf40dd787486bf8a278fe9edd8164117a

SHA256
4f47c0c3e0f7e77ec07b69306a03c64f81a7193d71f4e151d750fe7113d1ba2b

SHA512
59265464f975e48ca31bab16d90cfd727d16ab53619087ea2ce25ab64c04683eb0ef762a6f1364f31767a8a2d0bedb5be38b0b375984435d243d42dda690c2cc

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
b4a265af4e22d71657ac1cac964450ad

SHA1
783d230dd972acd28f37c0586e5f38bc6600a5b7

SHA256
8acbb81400c6f047b41013f78bc56141190478544af4e3c459deef476e5d651d

SHA512
76373fb2ccdcd79d7043872f87eed41b39655eaa41ea43e34e7f769c53fece7f5cf95fd4f0bbc4fd2757d31efcfd64d959da4ac57f49f108df1689753889bce3

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
93efb8562a70c353a554d10f3e41d47b

SHA1
bd219ed7e9db12f53f8e6c0483d721c9828e03ea

SHA256
36c203f48bb350a0300252b5c2eba883ed4ceceb3cfb1037b3113bbd1f900e2b

SHA512
58ca4b9ff05c6d01e95b8af9bbc1625d78c508df4590619bdfafc61098290e79a33ab49d89019af92bb82f0e3f9d426371f75376e206e5a6de3292c1815dd7af

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
799KB

MD5
0d3b12acf05fab7298523c5a9e03d4c0

SHA1
0249423de1e91bcf05fc50769e4209914f939b53

SHA256
daf41bcbba5027cc0d22b004de5f39bf0524ad011d77f25b730641a6fc0aed0d

SHA512
cce27687e641948d7953e86560e63c7c52da9bab22a07afd5b191433de246e9f9b7d55f1f026a371e925f5e0159df4289a6d8c4998be0e9d137912b8cf7075e9

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
f5ea8b0cffbcbebb03396d9e56c4154c

SHA1
1a20d185340f35406821d51138db6e57d6650032

SHA256
b8e1dff8d335f9d793f75c5e60b4921c24df63ee3ff9d157dc47e8ec407f3f12

SHA512
ebec7addf40623a3d538f2bf3155d394f4f1a47310f3888a71ef87e1ce19caf06059c4ceb7ccd5b15ef40d0f71cb6507016a67000d93e4fb873c05f1d1a64029

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
192953ab51a44d311f32b6b711ca1d54

SHA1
0aed9bec8c0e935c94996f9bdb1f1e1ad1038b2c

SHA256
23ca219cf43605043b88988bd0c7497df9bd88413d2068f894e03b53032311d7

SHA512
b1b4f9fd7f9f588402680502c0688f252cd77c3b70aa30a81b089108c51f5abd2e5e3d9202652baf3b76f09e2d3012960f05e64d1ebd10799828a0d22187b572

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
526ca70ed6a1735dee27a32fab522200

SHA1
0d8d67e6cad9ff1bbb25f124ad89baee497dca65

SHA256
d746f378391f5d2116b6269371a106ee44f479bab21d8dac0c2f77202b23020c

SHA512
2111a34e225168e754202d78a9528ae79245b33edf8616fdb82c31bf5b3113024a75d8957fea4103c9f131aa9e64b27e6dfb436fa1d5f0518097fc586dd9bf2c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
256KB

MD5
31906e7e1fa7b064a7998fdbeb611808

SHA1
7b14afd791b8ed70bc15ebf20d7d419ae6150eb0

SHA256
8fafad108de0c5093d3a304afa8f87103235bad6cc61a4a5bb7ae7a1c57b8185

SHA512
f8e5996da9e13436661a93b1c02f1cb7c4ee724a9d5624e1a8be9e725c0881a9bdd08a46a7390251626c63dc5dc06f8b327c87e7472404b523b23ec105d1c8d6

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
18f210ddc5c4366f8d1529e830bd2569

SHA1
bdc5be9959e4dfc2dce0cd56b1f399509f049af1

SHA256
0dff617788416cc2bbe8db65c2df6908a4648e7e8555068704c7e6d372bcdf76

SHA512
a16420631c35c798190d2521ad7fc6952fb59138d0eb65d0a404bfe4f7d6e001047da0aa31a028548bb9c398a39762bd90472dc64b1167a825d7c219529e3b18

Download Submit
memory/452-98-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/452-97-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/452-112-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/452-203-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1064-60-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1064-53-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1064-59-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1064-123-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1072-218-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1072-182-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1072-184-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1072-202-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-216-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-217-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1420-157-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1420-200-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1420-201-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1420-153-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1420-180-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1488-179-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/1488-181-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1628-117-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1628-116-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1628-125-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1628-244-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1644-91-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1644-114-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1644-104-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1644-102-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1644-84-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1644-83-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1644-198-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1644-225-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1740-207-0x0000000073C18000-0x0000000073C2D000-memory.dmp

Filesize
84KB

Download
memory/1740-330-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1740-199-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1740-197-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1964-73-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1964-106-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1964-8-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1964-110-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1964-0-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1964-7-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1964-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2084-196-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2084-155-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2084-129-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2096-373-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2096-371-0x00000000724E0000-0x0000000072BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2096-336-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2096-333-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2100-299-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2100-187-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2228-226-0x0000000000BE0000-0x0000000000C60000-memory.dmp

Filesize
512KB

Download
memory/2228-297-0x0000000000BE0000-0x0000000000C60000-memory.dmp

Filesize
512KB

Download
memory/2228-328-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-206-0x0000000000BE0000-0x0000000000C60000-memory.dmp

Filesize
512KB

Download
memory/2228-265-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-151-0x0000000000BE0000-0x0000000000C60000-memory.dmp

Filesize
512KB

Download
memory/2228-150-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-191-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-74-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2588-45-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2588-77-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2716-36-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2716-31-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2716-67-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2716-30-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2860-105-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2860-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2928-322-0x00000000724E0000-0x0000000072BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-266-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2928-338-0x00000000724E0000-0x0000000072BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-337-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2928-246-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3000-21-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3000-15-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3000-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3000-90-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download