3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580

Analysis

max time kernel
122s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
Size

1.8MB
MD5

124cd123d0a0296b283e9f9f2e6cebd0
SHA1

c6574f4196913ac74276bf722e9d0a4aeecda310
SHA256

3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580
SHA512

dc16da127b57246b0701d588f0cfc27986350624e78481d65413008e7cc95736e848c171e8d76c306b64ea0fe0a797abe4bbeb6ba2f1c58d25b98d0e100b53dc
SSDEEP

49152:QKJ0WR7AFPyyiSruXKpk3WFDL9zxnSsfpEGYcjW7zY:QKlBAFPydSS6W6X9lnhErWyz

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
468	Process not Found
2400	alg.exe
2452	aspnet_state.exe
2760	mscorsvw.exe
2040	mscorsvw.exe
268	mscorsvw.exe
2764	mscorsvw.exe
2952	ehRecvr.exe
1872	ehsched.exe
2900	elevation_service.exe
2260	dllhost.exe
2484	GROOVE.EXE
1336	mscorsvw.exe
2196	maintenanceservice.exe
604	OSE.EXE
2796	OSPPSVC.EXE
1548	mscorsvw.exe
1056	mscorsvw.exe
2000	mscorsvw.exe
1244	mscorsvw.exe
1012	mscorsvw.exe
392	mscorsvw.exe
1544	mscorsvw.exe
2720	mscorsvw.exe
2592	mscorsvw.exe
1728	mscorsvw.exe
2788	mscorsvw.exe
2472	mscorsvw.exe
3048	mscorsvw.exe
564	mscorsvw.exe
1012	mscorsvw.exe
1620	mscorsvw.exe
2500	mscorsvw.exe
2364	mscorsvw.exe
1336	mscorsvw.exe
1244	mscorsvw.exe
1780	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5da024877df8f25a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT3969.tmp	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\GoogleUpdateOnDemand.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\goopdateres_bn.dll	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\goopdateres_zh-CN.dll	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\goopdateres_ca.dll	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\goopdateres_lv.dll	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\GoogleUpdateSetup.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\GoogleCrashHandler64.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\goopdateres_ml.dll	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\goopdateres_sv.dll	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\goopdateres_en.dll	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3968.tmp\goopdateres_sl.dll	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{97CE7C62-6CF2-4155-BDCA-71784DFD933F}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{97CE7C62-6CF2-4155-BDCA-71784DFD933F}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1756	ehRec.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2408	3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: 33	840	EhTray.exe
Token: SeIncBasePriorityPrivilege	840	EhTray.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeDebugPrivilege	1756	ehRec.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	268	mscorsvw.exe
Token: 33	840	EhTray.exe
Token: SeIncBasePriorityPrivilege	840	EhTray.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeDebugPrivilege	2400	alg.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeDebugPrivilege	268	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe
Token: SeShutdownPrivilege	2764	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
840	EhTray.exe
840	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
840	EhTray.exe
840	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 1336	2764	mscorsvw.exe	41
PID 2764 wrote to memory of 1336	2764	mscorsvw.exe	41
PID 2764 wrote to memory of 1336	2764	mscorsvw.exe	41
PID 2764 wrote to memory of 1548	2764	mscorsvw.exe	45
PID 2764 wrote to memory of 1548	2764	mscorsvw.exe	45
PID 2764 wrote to memory of 1548	2764	mscorsvw.exe	45
PID 268 wrote to memory of 1056	268	mscorsvw.exe	46
PID 268 wrote to memory of 1056	268	mscorsvw.exe	46
PID 268 wrote to memory of 1056	268	mscorsvw.exe	46
PID 268 wrote to memory of 1056	268	mscorsvw.exe	46
PID 268 wrote to memory of 2000	268	mscorsvw.exe	47
PID 268 wrote to memory of 2000	268	mscorsvw.exe	47
PID 268 wrote to memory of 2000	268	mscorsvw.exe	47
PID 268 wrote to memory of 2000	268	mscorsvw.exe	47
PID 268 wrote to memory of 1244	268	mscorsvw.exe	48
PID 268 wrote to memory of 1244	268	mscorsvw.exe	48
PID 268 wrote to memory of 1244	268	mscorsvw.exe	48
PID 268 wrote to memory of 1244	268	mscorsvw.exe	48
PID 268 wrote to memory of 1012	268	mscorsvw.exe	49
PID 268 wrote to memory of 1012	268	mscorsvw.exe	49
PID 268 wrote to memory of 1012	268	mscorsvw.exe	49
PID 268 wrote to memory of 1012	268	mscorsvw.exe	49
PID 268 wrote to memory of 392	268	mscorsvw.exe	50
PID 268 wrote to memory of 392	268	mscorsvw.exe	50
PID 268 wrote to memory of 392	268	mscorsvw.exe	50
PID 268 wrote to memory of 392	268	mscorsvw.exe	50
PID 268 wrote to memory of 1544	268	mscorsvw.exe	51
PID 268 wrote to memory of 1544	268	mscorsvw.exe	51
PID 268 wrote to memory of 1544	268	mscorsvw.exe	51
PID 268 wrote to memory of 1544	268	mscorsvw.exe	51
PID 268 wrote to memory of 2720	268	mscorsvw.exe	52
PID 268 wrote to memory of 2720	268	mscorsvw.exe	52
PID 268 wrote to memory of 2720	268	mscorsvw.exe	52
PID 268 wrote to memory of 2720	268	mscorsvw.exe	52
PID 268 wrote to memory of 2592	268	mscorsvw.exe	53
PID 268 wrote to memory of 2592	268	mscorsvw.exe	53
PID 268 wrote to memory of 2592	268	mscorsvw.exe	53
PID 268 wrote to memory of 2592	268	mscorsvw.exe	53
PID 268 wrote to memory of 1728	268	mscorsvw.exe	54
PID 268 wrote to memory of 1728	268	mscorsvw.exe	54
PID 268 wrote to memory of 1728	268	mscorsvw.exe	54
PID 268 wrote to memory of 1728	268	mscorsvw.exe	54
PID 268 wrote to memory of 2788	268	mscorsvw.exe	55
PID 268 wrote to memory of 2788	268	mscorsvw.exe	55
PID 268 wrote to memory of 2788	268	mscorsvw.exe	55
PID 268 wrote to memory of 2788	268	mscorsvw.exe	55
PID 268 wrote to memory of 2472	268	mscorsvw.exe	56
PID 268 wrote to memory of 2472	268	mscorsvw.exe	56
PID 268 wrote to memory of 2472	268	mscorsvw.exe	56
PID 268 wrote to memory of 2472	268	mscorsvw.exe	56
PID 268 wrote to memory of 3048	268	mscorsvw.exe	57
PID 268 wrote to memory of 3048	268	mscorsvw.exe	57
PID 268 wrote to memory of 3048	268	mscorsvw.exe	57
PID 268 wrote to memory of 3048	268	mscorsvw.exe	57
PID 268 wrote to memory of 564	268	mscorsvw.exe	58
PID 268 wrote to memory of 564	268	mscorsvw.exe	58
PID 268 wrote to memory of 564	268	mscorsvw.exe	58
PID 268 wrote to memory of 564	268	mscorsvw.exe	58
PID 268 wrote to memory of 1012	268	mscorsvw.exe	61
PID 268 wrote to memory of 1012	268	mscorsvw.exe	61
PID 268 wrote to memory of 1012	268	mscorsvw.exe	61
PID 268 wrote to memory of 1012	268	mscorsvw.exe	61
PID 268 wrote to memory of 1620	268	mscorsvw.exe	62
PID 268 wrote to memory of 1620	268	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe
"C:\Users\Admin\AppData\Local\Temp\3d19166926c14726c3279dd103f47b160e10edf59660c9ad183c6f35a0a9c580.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 1f0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d8 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 240 -NGENProcess 264 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 280 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 184 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d8 -NGENProcess 2dc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e0 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 280 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 300 -NGENProcess 2e0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2952

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2196

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:604

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
21b17f835b34fd903054c49b9560f148

SHA1
d4722f615de891b3ddf37385552a787636199029

SHA256
1f00ce17829068495d3126306ead9c6eed4c9afe8ab6a439f68472201dbd501c

SHA512
8b126098d7299aa10d5a7da5e28776ffedfaf3bdaba6ba40ea9c8f3819ae1bf01c03fb51499cbf0efab24e173d279b4ff7299bae213912dc1b637b285b211c1b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
20640c370825429707bc9b4b299763b9

SHA1
1661aa0023d86bfce512235648a55d2235043581

SHA256
d6cf56433c2dffaff4b9db9f8ef53076bb121ab6f3da9c1612816c94628667a4

SHA512
5fe9aba6da49a45154238f20bee4ce7ceb4aa342b2d086caaa7714ed637f10c69da29bbc8b87941251ea519573baebe1b4ce9e8a9448249f30180bd39d00febe

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
cbbad28e284b214b90762ab53d989a42

SHA1
87d25ec73d702dd334caed57f4cdb40c2bd839bc

SHA256
101d077db6d73782fd6a1c6c2288ca48509ce5138c0976552ffc088df6efd899

SHA512
2f4627ccbf3234c06600d5e9224a299cf9d5b0a18a491f4b05f922db3031f786d4bae1318a0e93bcdf34c31c3b5e348c040e5fa0e1c5d3898851ac34e5d4e31a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
e93925a29e75fc07849ede75eef3a69a

SHA1
b5f5f08cfb89b459c88485abf0af914e5afe7eef

SHA256
058bc26467bc44cc36bfee324fa818d041661aa7351584cdc065c6f418f216a5

SHA512
f20caba234948ef19220fcc683f6cca7a958ff5ef1d34d0da7fd147ddd68d78452462241a44aa5172789855d8d66d5da4f06085f28436b9e42feb03f797a85f9

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.1MB

MD5
dc4cbc3d084a13f771b51340f4945118

SHA1
5a933e8ae7139afd19b033c22059d8c9c199500d

SHA256
574428f2cf9bb7cd4681032029638bd207d0612ceff2d783768842db9e89945b

SHA512
9335a436b3003dca9d4be22409c0050661750d17239a763223b0c3075781781ed7d9e18f2b26c1872d125f3417d6e60c2f67108feb9e7b82ffbd4105c625b53c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
10.0MB

MD5
ee6c622e326b0a7658b347572228ad76

SHA1
bdbbed140269d72d6ceee9b686bf0083f854b77d

SHA256
c0d172741b6abf17b79e5a6c9d666adfd81734cb40fda8b476e63e94f8c4fa87

SHA512
f1307ce7c0fae6def488235368aee7aa430699db6c0bccc8d7e22cf3a605e88f5b092c1d0e93e0039521d93c90e58ec895a87688d6eaed3223657fccbbc46a83

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
250KB

MD5
60fb1633aff2e9cb2105b7cd934286f2

SHA1
2f1b6e53cacd751ee0dfb1738c882464a0fb96d4

SHA256
8feb5ec0da302462619757f18e0d4ede9d4de8cb5fdf90a6e957a52ce15779d0

SHA512
3fbc1d57b0f2db07187973d132480e536c384bd1e07057a4355dd41dcbc081720131b300829fa8a7604f747d0904d903d0f860f75c024f97b76c8c6df6535c16

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
df05a120c1f618bc36938adb7fc6aeb0

SHA1
4b7381d88bd5236e9a60694d9f7264e6e8b6cfe9

SHA256
85ab8ddaf4c0459a2aada51e8e04adbb61bfae3a6385e34e5b2e23a04834185e

SHA512
b98e65ec1b8e2d10381d07d0e972224771f6176f8fe5ff7662e62c0160d2439d4f2e2ec03846909e0c53ad199c748bd166990662bb80eaacfa7c92eb6305b6f5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7be9330dbdf02488dc8bf875ab497250

SHA1
98a119fea69c2d39f29afba640a3c43cce0ed265

SHA256
27a8754c2364d5dd1ec04c0a0bdd7fc480e2cc5cc5802374cf048c42e79b2f7f

SHA512
32e0d454a0bc58f652af36e9c61fafcb23381aa8e83aecfb493eeac3b007a033a43c07d573b5c5f29ea82811c40c3ae2d4f50ebb95dbf84a8dc2eff8e2c59bd2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d4697bfeae1070797cb314b7c4f0695d

SHA1
6b24682700b933e490559559a34e49c7b93828d9

SHA256
4079424ee18fccdabcadf1935b17e9d6463d70cfb2e4c6816eef1dd6024595e1

SHA512
7ef77d25e36981b8f9c6e586b6d5cd01ecb88f196cf0d6a7779d8c33514703c1ded03756ead0e3296c714bc98974c1f936d9b54347a68e058d2f612634140433

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
95a8c1b9744b8b135ca5cfc993048043

SHA1
9f250047c9b5e764c1b40eb098997ff408f6f21b

SHA256
23db7103896a98324be03db9b3ca540957f6e7f2e2e7c0602272babe263eec55

SHA512
da37269334aa3d7e7de1dd8c9e17576cfb9b778e14bf8b233efe856bc749e9069430aa824fd35f84c04f027f12429b956a84fe080ee52a6530b1349c06be86e7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
efeb66a57e387561329b1e47733a3058

SHA1
c4dbfc64c8a5fcf7dabf3bf8e6346695c227db29

SHA256
c9856f9a4d0e837994bbdc96238777efd184f35715c35cf1c7a214370a9f8e7f

SHA512
3516b2e33c1751543e6f41534d70a6158a5f9fee5ecc3935ba5ce6e2ad1bb8e92bb86d56985250fdc54b72963717e734419d4dfea352b25c4d9d435dbcc25406

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
64KB

MD5
8517067a77509f9d0363bc05a73f1fd6

SHA1
7f7f52a823755043e77716657fe1f0712cc5225d

SHA256
f27c4874040578890c60efe20e9dc596376bdac5a1e3fb7ce479859b8552686f

SHA512
86bfdf1e12bff89029c0258627164ccbec917fc17d716392d853929540a204da8628c964cb7d134dd0b55c6829820ef462f44aacc53bad7648d4618aabc3ba97

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.6MB

MD5
7555a745379bb80900ea0ae1c088cb06

SHA1
a8ce84925c20d997c19b864080086f399927262f

SHA256
0e3f87f66acfc43cf6af686a8da3c41f852dce71698fadd14003789aa7e7d7d3

SHA512
a51dbe284e0a8be1b7973b9c03d2f37b708927ca86b711dc60a364dff3131bb320e4949ee9d624a2517e16ae19a38e70e640bd1ab95a362d3c6c9f5ad260f46c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.9MB

MD5
b20c79dac8c006e3c042fb2221b0473a

SHA1
c5d4d1d908c5d819d5defedf99ed96947a43ec46

SHA256
4452c77e67498dbe290b76817b7f39c1a2e1d3386626c497cae97cf3a1b61282

SHA512
b6671a149cc383b2b035d8b0d434bb919d0bce57b786a438dd53b567d8087ee5860287d88cd6a021d45139d9161f5bd8a0063eea3478e3ff149061e0b67a0c97

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
050497885f68b86c83a058d1c59a97f8

SHA1
a64ad0298942394a09c18a9cf0e3547508abd9c7

SHA256
53362005c0a02db6811ded8c1084c0396fc44cf5b07e43c769ec19dae6cb7477

SHA512
326f1d346cd276362ef10341cc071e2a9a37f03defb266f8fee0781f6e43f690312f01892ddd499002fa9bb320152ad3e71b7d635a38fde4feda171f98bacd19

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5a7492a6c7c660b0f5a7cec867457965

SHA1
1d9eb2578c894410017ed2022067942a99f9d058

SHA256
5a23e91782409e45d600ebc237bf86f919a48e78e8d7139fe2a16bc6b00eee8b

SHA512
74144f89ee36a1c5ced18d22be79abb303082a927a8dded07e93cc6770080e50ba35838b16de1836b84bf0a4db47b2a394d56585a6ff74ba39d1556dc58e5e48

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d4a3279e1b23040d744cf204f834c33c

SHA1
4ca1d72ecdd10c2a86984dee005aa75011c3c22d

SHA256
369b54c2684815ed06b15562d7a369d0be4ff1430e6b40dee1dbbc3f6b7d6556

SHA512
8699199e5f3d32e14f88c9c38928310ade8cc4417f8da770a20ad551aa2d757c2ef9cad86390c5474a1be5e5a0269e57b80de3b81f3a181adb5c21527a4592b2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
22a93025441c80836e199b1cb9835724

SHA1
f9d7bfbb2e52781f3c1312a3d7b7bce960864273

SHA256
9c3c4ca2e354b0d354a0ecf9b43b0bc869643ebd3497484d58b7d115a7cfdad7

SHA512
e16906f5fe16d6835470c08ddc2d08b1c146dd19ed7a407973c849c9295b659ec14cc179088bbd19151241f59084ceb9076f8a82058ab2da44259c5f473535e2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
6ca3aae34bf4a7b8316b03412015fe47

SHA1
a49b903e1b638096fa433658f54dd137f7360ab6

SHA256
17feb3c55d9f2eaf2d27330b140e3f87275009b23eeb39ee6249ae11cbb7ed63

SHA512
cebcfbdb653e1e6b1738269b0add9ec9772c95ebb6c908edf2ed68bfa8b099f0b3ca6cfe75adccb8ba0a3022711ce9ddcd5f8828f5e81d45a7303fc72d4f8b01

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.2MB

MD5
d752ce14a449d4b5a6abb475541cdcff

SHA1
d525c12e533928bae7a377ca11e91775c899c04d

SHA256
47134906e3d02e762bc4a64f6daaf55f556a7bd816285b0a5706bd5b2ba7c9f2

SHA512
c2a1da264cf50334c08bb9cb1a7a5f9b03903403c6e1c15ead8962d83f3c94b2cae924c694af7d134ecbfb20d7a786d35d5b7d90dd68753ad04d24d3a8e8ddb6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.2MB

MD5
1a0966c238a339462bc4fcb24d4f1391

SHA1
f0920d32c04e1729427f8815fc79aaba0957cd95

SHA256
04219095255e757ea477ab2c2624efce0a03f4e76dacf6b0c64e81d141c85c40

SHA512
5eb361f1e214f246a45bfe6cc1671f09defb6765851fd5c0ba96f761b198d4e6ad187ebe317dbbcabbab3bedd1caa5709e2462d5ceff7ea47ea3d695efca6583

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.2MB

MD5
297d257acf9d7ac54cce73b462764123

SHA1
ff9107a445bae8010809746f3966b350c21518a7

SHA256
2532333a076f1015b1b2a9dbe1804d2452c45851cb0f2cf7a67f2e77f73fcf98

SHA512
cf5477405c8a98070bf5aa5aa6d5f2447051143a58476639363527be4da722e389aacd7f166c04dd9872f1f6ae0f733445295b5645e385187a16c4c0a7d2c152

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e7c4130dc6f380f2f2690632c325dca0

SHA1
2dd3119dc634c04afc7001847a8c35333bd78013

SHA256
26439011683b115162226efa3a696e6ce069580911e6c22dddab36b6c0efcf58

SHA512
3d31d86cf2aca8a292dcc7df0c0ca94e9814835993692c89ea3c9dd869698b9d0a61d7253479870a30ca8eef5ede5d3c2dd0f2d1934136f0988bbe596fb0dec1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f8c5ded8da3a356ef0cdc9bdc96fa49b

SHA1
d3d654b7a5e0af23715988d7f3b2f7ea91b82256

SHA256
280ba2979f4a5b0fe9260cc84e79bb0ef7ddff75052c4e584e67baa11188c38a

SHA512
ab1ed8ae20152a002521bcfe8f09389de06b683c9da88e2efacd45647f73d5132b12e07d6332d06b0bfa76fa83ceb2460885779924ed7b8c62d6b102c19c407a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
46ef395d476db6457e071ef3c67910f1

SHA1
386134e70747ada0909692ed8689215c654f0638

SHA256
a33ad454a217ecee861b6619516a6557ab83c78d379b56f5c4ab14200e483672

SHA512
713916aa083219de357336d7bb959af28f86dee6fc15bc57930e3d4127f5899752957a49fb0006f24555e744945f822c261878ddff51e9b4434b75eead64d1a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bfe75d1299e874f50ab42c1c9b516540

SHA1
31edea425475bd5075e23b5d9a6627af6a6ea1ca

SHA256
788f67f9b8e1a08e2ef696af21f2f6823eff7012c3a37738d44d5122aab3fc50

SHA512
4ff20f3aa13e1161358884ea27959307e1fafb5fdd80f8d9279447b0d50843c5138cab9d082345d95c682c311e97194d51644a974c2473cde83adafbfe1e1566

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
b44985484c96711059455c0f7a2f0e48

SHA1
0f8ad72b9b24cc55035d7d9668186b1641d45ded

SHA256
a1da6a4c3f29d5373157e8cd1a5f9bc04e6ea20a3acf5ff7b562618762b5e5e0

SHA512
d6b7694c788305b308c53891aac53358cca374046d0dcb898269c1e26f725835809c044d3a6a29969c82f86165784ca5804d04115eb85de0cb9de7c2a1660ad0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c361288ca9fbaba01fcb37909b5730ee

SHA1
069bc098cbbf92578500660fe2ecde4b77fb304e

SHA256
3381c9daae55e31b12e5d5afb05f0a069acdfa442a2cba42ba044d3de22a0731

SHA512
403f83264bc7b013f60a05a028d556c29e6a1aef4b49b4d5d8f5e1ca3d85cb8c333d4bfd805aec69f67368167fe7e611ad837103bf111597d060f25fbac9043f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
a5ee2e2e2e70d5271f1f200c9694a736

SHA1
ffc0b4553081514b7538702106410bc216e6878e

SHA256
00908d0a05c06d5a8ca812d8fe8bd34f4e9a3282cfbf2206eb1ee0328e5d5fe0

SHA512
f2937c32d9d42e654b3f1b54f394727b626d4c9405c822f6f5b607018944003696d161d8d98ff8556622e04da50b210d7088b1ad515ef6e0b04b715fdfe3674f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
9c94b9bf79162f43f998cd6e35fb5903

SHA1
3fd060b3da999952d9e316354b9c2e4d1f3a8226

SHA256
5c243feebf0febbc09dad6b7e411f8413dcaad2d99fde4163e553a79e9d7ae58

SHA512
99ea33f7f844925b9e2b19f7159302aa79b84928a104a105a55ef6f0cda7b06bca1f476ee1c32be4a15ee7519e1f643c204b86e4c2d69a71d49ae599cd7994fe

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
aaf76a4d1db937427a8e756117d79a36

SHA1
52e772e578e9e4a978f3fd9716ed5e9da1d4da93

SHA256
b21074ace21599d84b7dacaa8e1b083064c58b8ee6048753b67672ca0d2ce125

SHA512
e66d7f7e026dbafc41131bdf5a04fed36f869c2214231e3745804a8529d4addf155af922f26e5fe3c7ac112ecf70de0c87f2405951358767eb29ff4229687bf4

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
86337406c79b486f6d6f2097629a1ff5

SHA1
b773cd84659921a59c011757499a5c14457a7710

SHA256
254da8048f7aa0b3258f2ba1359bdfb046c7b7945a8562689a92d133dfdb00c2

SHA512
b9f6f97b80361668fa2c31531a7d3e9de2c0d09c87944cac5d49c63309b0b752733e95466399268b5197438fbf90368f692f7187cefd2decd4b1cddf713500ef

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
12d1a695dc6822332398d90853d211ad

SHA1
7c526f62d0f39d583b4a29830883740f22089765

SHA256
be314080e2a073c6fbb1d9126133631d2727189dd3b20a2ae46daeb4fd0105d3

SHA512
ccecbda89f6914a4fa88a8c3779cb76e364705539f9fe522cf52168f7e7c783ef7e439009c401a166727a556662f62b6f27516957d694890c125e0e77aa2e79f

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d2b9f6aca21588bb4b54311419eb298e

SHA1
d25b8000967bdf7ead1c53d986a0184cbdbc41ef

SHA256
180fe469ca88c704c3a64f8fd1687f7a220e564576ee76aafb064ef075ee3034

SHA512
fa93fb65c775e5a73458938e6b8e556e40fedee114ed1dcbb8f93c57c4b806b5890ebc578eb8c330b3e753b0f916cb1fad425f5b4ab56f1be3e405ceb76f6099

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
751bf106ee9d0c1323099f50ffae9d54

SHA1
7df192a3926304e55f615ebb6d2a11e62203c2b4

SHA256
fab6e6eb6a0f91b0b780c29f99ae534c3609d6af2289b3e9cd8a376219491c87

SHA512
a82ff4225f9aef4f1c6265375c33f9f91d49250d7177aa111756833f18d3efcd5a5ded5c12f69593dca7642c408cb0a786cca4209301888cb8aed875f63b68aa

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
3a2474547dabe9d77a3b1132223ef83d

SHA1
a019ecc7b221a4072424a8ff5e85002c1baac73a

SHA256
0b5ec878d737fdf32ae1f7d922841e35358fd9dcc5304b5d6868dd8d4510ea34

SHA512
95e3f2a5cd71f52ad6a2fa37f7b528292f0e0868e7e6a934e31b91e66ca6c4da8db62fc991cf1a695171dd9bdd480fc3002d0505b8dc9c7ddc3c93703f60f170

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e8f1c0b4b5e73b0ca8621fdfa082eeb8

SHA1
ab96859f22b5c450becfdfe6f8e18ef3d11b8bf7

SHA256
5c548e1db7fe9125aa1afd1a6cde34e16c325974f4b85416a89c9467261ddb23

SHA512
4e2ec1270b96bf70337534fc45b11f1d1d176ba91db013edcf3b4a9fffdcb3adbe9a25132a4484151575885402c8603ebbe8cc03a62a1c756d298c8ee6d3fe1b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
960KB

MD5
b10435fe36ac2f118ee76268d40d2234

SHA1
6c52f922c63fcf10b199b95bc9cf1fa77109d3c3

SHA256
9b402f9e97b4413f9c36612b26ffb1c32947886b03c2c199afd3ded3cb0d3dc9

SHA512
173abdd289007c345c481fd22bfa04177f70a22ef7b4200c3110d592191c1c03d17bb12b1964fdcc35a8cd78b9cfe58aceb815a3f8cf30b8da546788d1c609a3

Download Submit
memory/268-128-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/268-274-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/268-121-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/268-122-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/604-350-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/604-347-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1336-397-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1336-339-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/1336-372-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1336-327-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1336-398-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1336-311-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1336-399-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-383-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1548-393-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1756-291-0x000007FEF4910000-0x000007FEF52AD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-361-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1756-349-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1756-289-0x000007FEF4910000-0x000007FEF52AD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-359-0x000007FEF4910000-0x000007FEF52AD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-280-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1756-324-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1756-380-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1756-345-0x000007FEF4910000-0x000007FEF52AD000-memory.dmp

Filesize
9.6MB

Download
memory/1872-183-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/1872-317-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1872-179-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1872-175-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2040-113-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2040-157-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2196-355-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2196-322-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2196-357-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2196-333-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2260-292-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2260-343-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2260-279-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2400-15-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2400-30-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2400-161-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2400-13-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2408-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2408-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2408-270-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2408-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2408-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2408-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2452-77-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2452-176-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2484-299-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2484-368-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2484-304-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/2760-98-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/2760-136-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2760-97-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2760-104-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/2760-103-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/2764-149-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2764-290-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2764-144-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2764-140-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2796-369-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2796-400-0x00000000744F8000-0x000000007450D000-memory.dmp

Filesize
84KB

Download
memory/2796-363-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2796-371-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2900-334-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2900-341-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2900-192-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2900-191-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2900-272-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2952-170-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2952-186-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2952-187-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2952-189-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2952-164-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2952-331-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2952-302-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2952-162-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download