9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
Size

1.8MB
MD5

683556597e89f3d7d682cc6adb6b3407
SHA1

5293755affd042afec7efc193699bd26168aad26
SHA256

9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6
SHA512

b3882501e020a33ae40d921380e9954b99fb621c9b0fbda4af583dfda67209d14510166fd8d0f7e1f6fdfaf20587a681dfbc57ecd3f77bac8b1ed13547f9252e
SSDEEP

49152:qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAFCks7R9L58UqFJjskU:qvbjVkjjCAzJQC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 38 IoCs

pid	Process
480	Process not Found
2688	alg.exe
2424	aspnet_state.exe
2704	mscorsvw.exe
1488	mscorsvw.exe
1504	mscorsvw.exe
744	mscorsvw.exe
1208	ehRecvr.exe
2032	ehsched.exe
3020	elevation_service.exe
1508	dllhost.exe
1652	mscorsvw.exe
2288	GROOVE.EXE
2888	maintenanceservice.exe
2740	mscorsvw.exe
3044	OSE.EXE
1592	OSPPSVC.EXE
2904	mscorsvw.exe
2808	mscorsvw.exe
1524	mscorsvw.exe
2964	mscorsvw.exe
1300	mscorsvw.exe
1480	mscorsvw.exe
1876	IEEtwCollector.exe
332	msdtc.exe
2948	msiexec.exe
1176	perfhost.exe
2340	locator.exe
2352	snmptrap.exe
1648	vds.exe
2192	vssvc.exe
1344	wbengine.exe
1408	WmiApSrv.exe
1632	wmpnetwk.exe
2044	SearchIndexer.exe
832	mscorsvw.exe
2484	mscorsvw.exe
1292	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2948	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
764	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\2ac085e1aad3ae89.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_pl.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT2869.tmp	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_id.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_am.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\GoogleUpdateSetup.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_ru.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5CF72A45-AD68-472B-BBFF-38A947BD74EE}\chrome_installer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_sr.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_gu.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2868.tmp\goopdateres_ar.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4D4A9CBB-0A1A-4FEB-BA42-D3B1525AFC58}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4D4A9CBB-0A1A-4FEB-BA42-D3B1525AFC58}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	elevation_service.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{425B726C-6610-41A3-8CEB-2D1809012DF7}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{425B726C-6610-41A3-8CEB-2D1809012DF7}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1792	ehRec.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2856	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	744	mscorsvw.exe
Token: 33	856	EhTray.exe
Token: SeIncBasePriorityPrivilege	856	EhTray.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	744	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeShutdownPrivilege	1504	mscorsvw.exe
Token: SeDebugPrivilege	1792	ehRec.exe
Token: SeShutdownPrivilege	744	mscorsvw.exe
Token: SeShutdownPrivilege	744	mscorsvw.exe
Token: 33	856	EhTray.exe
Token: SeIncBasePriorityPrivilege	856	EhTray.exe
Token: SeDebugPrivilege	1504	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	3020	elevation_service.exe
Token: SeRestorePrivilege	2948	msiexec.exe
Token: SeTakeOwnershipPrivilege	2948	msiexec.exe
Token: SeSecurityPrivilege	2948	msiexec.exe
Token: SeBackupPrivilege	2192	vssvc.exe
Token: SeRestorePrivilege	2192	vssvc.exe
Token: SeAuditPrivilege	2192	vssvc.exe
Token: SeBackupPrivilege	1344	wbengine.exe
Token: SeRestorePrivilege	1344	wbengine.exe
Token: SeSecurityPrivilege	1344	wbengine.exe
Token: SeManageVolumePrivilege	2044	SearchIndexer.exe
Token: SeDebugPrivilege	3020	elevation_service.exe
Token: 33	2044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2044	SearchIndexer.exe
Token: 33	1632	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1632	wmpnetwk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
856	EhTray.exe
856	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
856	EhTray.exe
856	EhTray.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1652	1504	mscorsvw.exe	40
PID 1504 wrote to memory of 1652	1504	mscorsvw.exe	40
PID 1504 wrote to memory of 1652	1504	mscorsvw.exe	40
PID 1504 wrote to memory of 1652	1504	mscorsvw.exe	40
PID 1504 wrote to memory of 2740	1504	mscorsvw.exe	43
PID 1504 wrote to memory of 2740	1504	mscorsvw.exe	43
PID 1504 wrote to memory of 2740	1504	mscorsvw.exe	43
PID 1504 wrote to memory of 2740	1504	mscorsvw.exe	43
PID 1504 wrote to memory of 2904	1504	mscorsvw.exe	46
PID 1504 wrote to memory of 2904	1504	mscorsvw.exe	46
PID 1504 wrote to memory of 2904	1504	mscorsvw.exe	46
PID 1504 wrote to memory of 2904	1504	mscorsvw.exe	46
PID 1504 wrote to memory of 2808	1504	mscorsvw.exe	49
PID 1504 wrote to memory of 2808	1504	mscorsvw.exe	49
PID 1504 wrote to memory of 2808	1504	mscorsvw.exe	49
PID 1504 wrote to memory of 2808	1504	mscorsvw.exe	49
PID 1504 wrote to memory of 1524	1504	mscorsvw.exe	50
PID 1504 wrote to memory of 1524	1504	mscorsvw.exe	50
PID 1504 wrote to memory of 1524	1504	mscorsvw.exe	50
PID 1504 wrote to memory of 1524	1504	mscorsvw.exe	50
PID 1504 wrote to memory of 2964	1504	mscorsvw.exe	51
PID 1504 wrote to memory of 2964	1504	mscorsvw.exe	51
PID 1504 wrote to memory of 2964	1504	mscorsvw.exe	51
PID 1504 wrote to memory of 2964	1504	mscorsvw.exe	51
PID 1504 wrote to memory of 1300	1504	mscorsvw.exe	52
PID 1504 wrote to memory of 1300	1504	mscorsvw.exe	52
PID 1504 wrote to memory of 1300	1504	mscorsvw.exe	52
PID 1504 wrote to memory of 1300	1504	mscorsvw.exe	52
PID 1504 wrote to memory of 1480	1504	mscorsvw.exe	53
PID 1504 wrote to memory of 1480	1504	mscorsvw.exe	53
PID 1504 wrote to memory of 1480	1504	mscorsvw.exe	53
PID 1504 wrote to memory of 1480	1504	mscorsvw.exe	53
PID 1504 wrote to memory of 832	1504	mscorsvw.exe	66
PID 1504 wrote to memory of 832	1504	mscorsvw.exe	66
PID 1504 wrote to memory of 832	1504	mscorsvw.exe	66
PID 1504 wrote to memory of 832	1504	mscorsvw.exe	66
PID 2044 wrote to memory of 1468	2044	SearchIndexer.exe	67
PID 2044 wrote to memory of 1468	2044	SearchIndexer.exe	67
PID 2044 wrote to memory of 1468	2044	SearchIndexer.exe	67
PID 1504 wrote to memory of 2484	1504	mscorsvw.exe	68
PID 1504 wrote to memory of 2484	1504	mscorsvw.exe	68
PID 1504 wrote to memory of 2484	1504	mscorsvw.exe	68
PID 1504 wrote to memory of 2484	1504	mscorsvw.exe	68
PID 2044 wrote to memory of 2832	2044	SearchIndexer.exe	69
PID 2044 wrote to memory of 2832	2044	SearchIndexer.exe	69
PID 2044 wrote to memory of 2832	2044	SearchIndexer.exe	69
PID 1504 wrote to memory of 1292	1504	mscorsvw.exe	70
PID 1504 wrote to memory of 1292	1504	mscorsvw.exe	70
PID 1504 wrote to memory of 1292	1504	mscorsvw.exe	70
PID 1504 wrote to memory of 1292	1504	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
"C:\Users\Admin\AppData\Local\Temp\9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2704

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 268 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2ec -NGENProcess 2dc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 220 -NGENProcess 21c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 238 -NGENProcess 2ec -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 184 -NGENProcess 2e0 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 330 -NGENProcess 184 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 38c -NGENProcess 390 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 3b0 -NGENProcess 390 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3dc -NGENProcess 3b0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 228 -NGENProcess 3d0 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1208

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1508

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2888

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3044

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1468
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
41416632f732832429aa107dfd283164

SHA1
ae5f8c206bb0c3846d0c830fef198ac9b8caec90

SHA256
2095ab9453991fa9dda91d2af420bb3593c9337e34b695da5270a8d4ed93ee39

SHA512
afb643d14c817855309c55eac43dce4ba101a8acc85a47335428635f0e64a27e3cfd4978287559de6d613a8e43a2f0c8fdb6c082c1b42f0f064918f002d184cc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
1d3faa97bd2f862f6c4599e314d4de99

SHA1
6b1e394757b39ad8ce5ba3e2b683389d2568fda7

SHA256
6bf58b647a4fdc2301e8ceec4c9507d88a474231e8d27f12bc1f65aceaeae64a

SHA512
f5f6a0eae3df566649e788751da249fce7a802522eadffa502bc6487d6bafd3baf32388114a3019f3d109d521caf20bac9649330dda6dd4bc9d1ec2364b4498b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
64KB

MD5
5b5632bc96bd1a0ed2ce249393497961

SHA1
6a52d4543d470e09597e7aa100a49f98608dc9f6

SHA256
44da5f360b0ccbbf6ef045802bf9a7985eb5d2edceab1c26e6fcb670ade7ac28

SHA512
8a5c1c14e4dcdb3a9527f5c70ba9d8d8c8ada7b74c3369c109a7be5672e285b111ead00f087c6df0340d87b93f74e5bf02a85e29cb92e2a501b327e161aa80e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
832KB

MD5
0ed70d4e060c006253107f35fcb9e5cf

SHA1
c57bf522dff564ab471e9d2c190ac92f57073cef

SHA256
5f534310769394eda1d4d15adeea9d980ca14409fa97f4b7d0ae35a3b3551e8d

SHA512
bc7b7ed92b9aa7acf3c4e1f0d28a6c47a0e6f23bd00691144863f67ccc249841ab7b72487b8938f71254c6c06855f2661fa7ce397139b49fe5ee12780cb74660

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
667209e47cb28d0677f8155256cf44b5

SHA1
eba63ab0b5f8bdafe46d082448e4eb1914052004

SHA256
4004c7b4d189c7b59e24327dc89c46a8c9a6747f32653a063f129a48f9351cb7

SHA512
86ae0732eb1817edf6ea927201b2a408413f7735b2027a0ebce47afdc7aa67c32a3677ae647c7a8ed93c87cc242f6c751a6a1d2b8329af4d0bc800957cd77907

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.2MB

MD5
6e86dc9e1843565aece2615130fe4a58

SHA1
c5abad45f2b6d01ad6f284595455a204000bd9c5

SHA256
f99982da557873213b90346e286d73dfe10b721e837cacf120efe94e4f87f06c

SHA512
29db0b677d7ebb7c9d866d6b0d7fb0808bf84e4cee939bc98b3cfc9f37a8cc19b042dd0bdafebbcc33ef41594d2a4510022a4730058b362154eecf82ea64c011

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.1MB

MD5
6a09579fe3452134a285a8e756660c93

SHA1
ebc9636ac41c00ba5435ce9af59456c2b9dd5636

SHA256
12c3bd73a1503e7da90b8fd6915601ffa3bc082ac266fd774ed8106328dc90ca

SHA512
acf1d4bee0b7c049a22af74c7db9f472a203b7f7a97776d7c5ed8bc6b028b6c554cf8e317f70282e4bb6062f46c6e6236ecdf378c5c7a19c6f5fce7e9c3e5794

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
832KB

MD5
6eafa8ff52dc5bf23af96b96aecf779f

SHA1
e6e44d688fb73f6fdc7f251cf92fffc476f8586b

SHA256
b32a702015484191b75f199dafaeed0dcc60d16851c534be5da4841873584b3a

SHA512
a684a875dea9589edd868cfa9c89e7cf7f2843246a0883737a9951f1df5db1ef01f63482c5383437bf0a91b8c5c4dddd613ef8d23d8f4908b17e625dec853a22

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
9ded9f4bcb8d0ad51b483314d5d1d129

SHA1
3206c547210651a9d76b8f3f35d76f587bb6872f

SHA256
2a1b2b269e2f4e3cb058a12e442af2b0942166b85e0de6de880178bf96398abd

SHA512
4e300bb50f3cf0345b40bc0b0e1696d788defa3f1b22c0c1a9accba19eb2c2181f8efae67f26dec10df36a5b8e0d46a7cf944c83b0f6bd730820227edacbf106

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
083b37da47b09fac8167150f95e8f07a

SHA1
03923fdd9e4d6e4e11fd519bb29ba90239877bbb

SHA256
c282ab3d380411f3891ac72dcbbef148f755a5647bc031cd98ef75159d338425

SHA512
4d8c1bef6d36988b624579fce3c7035c22eb32761a23a52072056970656aa393cd3f35dd1b5099c3d0d36cf2cda4c03105991022863e5d3fe65f38296e6471d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
5a6e36591e71c77d86b186912f4f7254

SHA1
21a4b814a288053a2ba58e1ae5c541359fd5407d

SHA256
9d1d33e4a5caff38e655f3e1ec252180a8292c7826fc57cc37be5aca50578367

SHA512
9357f8de855b193d5640a2759a3b54f6b48dd87d96dfe8cf2f28b232dd90a25ea1a7a09bc1ce144d01c4c0aa90a73ad488a140d2a82b2bf9438bbcd1c11d219a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
dd16faaa8060be64978279e939458fdc

SHA1
5dfc6a7e3699d98c50fab01361c0013236613a40

SHA256
25732d588494ccd81e91f019a07af566970f3068a5c995e5d2c47f5a0c7407b0

SHA512
997e73805722c8d35daf9da88f1166830988f7adb742d3d9bfaa13dfe3267b3a3a1d36de68f40a010ec8040dcac062c3c86e1d8d9fbbe2759798116e1afa6a43

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
ab60ba143cb3cf03a69b3125107925a1

SHA1
c3f1fa7c26aeba6eba12c4fabacafc2758176d4d

SHA256
a554b781b0a6077d39a72ce779e1093472fd036e4b9bfbdfebec5857030c2bda

SHA512
068a8c51e42d50fc9b6dc5190fb99a2660b78f13349a50e102996628233e0e296193a275c4205ed4034cc9a1aa9245a58c70617b78e905f3555e4be2c6762514

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9095b4e197719d63ba51bb33f0f28195

SHA1
d92556eaff165f1d20857f7a315767f3c1d95fa5

SHA256
5f046d443b7a594279d05b1e2e4b563388225425bbeea74715466f869fd847ea

SHA512
92ee977ae219e9b82f568b6604ad5b3c4ca0872895205110dcb95bd76413541195a3478c5156aab36c0e45bbec2001ca4f114ec1bcbf283e8fcde2bc2776b702

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
640KB

MD5
2a07426cc436866dce863fcf3f7be489

SHA1
349208ef657a8e7bdec5168a4c5a2ea6be171d26

SHA256
5d523aa62b1572652ddfd4da25433c43ea6b745951be2a5e7881341467489975

SHA512
0605ddd9886666ccc1ef8d4da4c4a33a9ad4124fa5a7241ec2942a147146794e793c5c46ed98b43896da8326e9ff8b9de0733e0aeba6f239a41dfc19c6f9a6bd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
2762dc9fc3cf05fcc5d21eedaa163644

SHA1
79ac7cd9f706801b13bbee5fa2908d3112396978

SHA256
6d13f920599083cfcde5bbeb49c0900548aa20394423c831b484ee2518c996e4

SHA512
33400193165f62c62a82d0f116a5f462787fd9f6eda5c159d761e44b87e1eb3829dbe245e805669640ce2161d03ceac7795fcba0fcaf2d4196a580ab95b8f705

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
61f7032ed622190ddb7d85c6cf81782f

SHA1
08ed9d97d1c767ca35f1a8b40301a74bdd06ef19

SHA256
00704904e88855831ac23fa83c1832ca664e5596b0b2908539ace32c52fd80ca

SHA512
5571fcc4cc73cac05a24b2c672a45b59baa8be932e7e6f0f2982ac60c1ef876782ec9fb1cf145977e77bb6a4966c4dd20bc435d589df416186773c4d81574e0a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
81b5a3b1907cc827ea682d66b5f8b8a1

SHA1
434110e4e2486e3ae2186f8c160e6c95511b9047

SHA256
9ef84641813dd00510b0d6e7f6c8f7ef95339880c53b4545e95e67c68d0c84d6

SHA512
5392dd09988f00ed729a0c4d48d3db4fe589b4739c4dbec885812ce7c943212523cba1ad4f90fcf4c184b6b750f74284d3e47342d6f3c7a19f6deede1f719ae0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
7d6b0fc12e53c87bdb4184dc7c4d7ee6

SHA1
0510b15c0f9bd882fe1774f4ae0e087f6d072cf4

SHA256
59b244022e1108a82253791ed221348bda308e5dde18930f60f71db75482387f

SHA512
a1f7e70ecabc2de9a86778875004b66a025064f1b62b0aecce67a36672f6dbedfd8dca83ac09f29232a3c70afd5ed5c2a8568e80565b6df7216e20db85787475

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
384KB

MD5
de41e24ccd05656e558588546c8695b6

SHA1
8721334e395347435cf05adb5207ce251a7ceb94

SHA256
2a8678938558b211dc676c9e6fe143d7a43f1e850da44c1fd555d5d92a44cafe

SHA512
5ab1d6da8383be27b3b1e12d863f461d7716a3805ad00a23c9fd20298f21a6b3699857db6d440a789110912720f7e83d64a9e598379437b19cea5540caf90cc0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\2ac085e1aad3ae89.bin

Filesize
12KB

MD5
4c6b6a42f6ce185f7577d610d734c493

SHA1
e0f01360bac803c3571a8261d950dea10b47048c

SHA256
7948a2c3206438de0500689c9ce51be2fcb2fd19615368c6d91be9ddaf166404

SHA512
10bc1187c7a46c38790aa06b6be0f1cd16bdfc8e1c0e0ae44d90ad04611072fa9aefebc1f47f9698c17999312d972885e1ee7761e1188a44196526693ff6d970

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
64KB

MD5
6390d8a5158817bd41a8e4649337b79a

SHA1
bb6483ded685fe43b0605e9efb969115f0dbda53

SHA256
37979141332ec687b9ae5a56dfab199eb5a6322e2cb3e69cca37ec1ca7143799

SHA512
c3d79bc358515be9695c13acac27e4ae31c34660e25c0172f6a402f68f5b35caa9190746c8ff9b3f9fc5630194f2d5bae44c0784ebb0de32a4d89cf17affe9a4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
128KB

MD5
14622ddf71b8ead79abf3f966243c64e

SHA1
cbc0cc6332d5abe44dacab45671033020240502b

SHA256
8edfc1a8aa45b79dba55368f6bbd5b67e5edbe71ae54d355526422e9fb6c75a7

SHA512
8c7f206b806c09e9c6610426f20277eb46f9f4f463266105ceab1492f121d6419f7bfa6b9e9e82d03612f8e138349281983fb33c6163c5f806ac1e4a4b0ad218

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
192KB

MD5
bd87bf901e7d33a9a814d78f2d6806ab

SHA1
0a8bd1236fc9ba7b9af0f3c7a2801a295ae29239

SHA256
c6474e186ab8b2f6cb19513cb3dc79618c03946a36df18eeb46761a1fa94634e

SHA512
d8a7a902b8b36ea356df634c9d3ece7a5a93a8d3dd26e77429c38c3122d978843d16fd10c9b52f18ccb844a83be09e4ac547d14119d0996061371cc1471a02ba

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
192KB

MD5
aee210fdb511bb7b9ec475f25d05bd4b

SHA1
8ea824b31a9e0a11fbfb4ea327927f9cd5f7d032

SHA256
deb8271d274d7373749e2ddab5c73bb13f107bbe0ae92d9a0376cb1d89d14d56

SHA512
ec49e6db6d3b3781db328c7514e3faade7d145b5fdaf8b289b33e11be81eb1f1ed9988b181a2292324b27d50c9e909cc22f25b171994ca2fa5d42b5dd5245282

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
384KB

MD5
1031b71943e3d8845e699115daf72ca8

SHA1
7ab5cb807564b2fac765f13ece7cacf6927470a6

SHA256
caf92b390087eb1e2157ff398d45a0ee9064029392e14bd4d45e587aab312cb8

SHA512
1e7057b87a2ba71a69f6738485fdad82496837f43d92fc632d8fae0710a9711948db1149da99983edcd43523320e283c32fef0198e287f8732b4f1bd9f47ae0c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
a6a4cf00ebd6423255ef42c93f9fc247

SHA1
ebc9e072926837700858a0f982107cb38ac7ccc5

SHA256
c881d6da9044874d45f229cc0b963148e30ed884f32b59795d9f2cd7907e3fde

SHA512
0acaa0ee38e1a20cfcd5c7e4c6dc7a7b86fdd25f8c4db66f7f41f99386bafb23507e79f784828b67e6bdbb0e3048645af8d9e2aa8db385eec8e1a71bfc0f1bb2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
192KB

MD5
bc30540174dcd787b7b96d2a36f88ebe

SHA1
e8bb0b54d93d7db37f6b32a493e9d2cbff594aa8

SHA256
82a1929280b72445fbcd5098c8640044e4c6f511b313e6b9130f98e73062dd9d

SHA512
d80ab1a482fb5d4a058d4a13411cf4f36ad340da248901cc090ae9b39dbec935c3e06fb3bd93aa6756d989189e59becf5feb962f1a69dcbf831c6fac138459f1

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
320KB

MD5
0c4e3ef89f5a2fa8d313b40be398b26e

SHA1
173abfbb02d1bbefd5a8ef713a3c231c3559e991

SHA256
0599973486288d9dba6f8a7a2e4702443548d944c8e045857441ac92088b87a7

SHA512
1b6e12c25fa0a9717c4fceb89ca4761a4aacf48c29e33fee6cdc7f4a20c1809f02025c2ffd01879304766eb6952e9cccbc6eff8687e456581737ad7da50b0ff3

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3c1be355b7877013a1fe8206afafeff6

SHA1
ddb3b4e158e6398dc0bb5a13ba7aac44804a25d5

SHA256
11ba54083d520e057c9c938ff534e6c8165dc69868e454d940be992d40b3313c

SHA512
d7d39403ade705d137f47633bfda2306effb0add0ea679feda688a544241f3afcaeb32d81d6a87e4b1707f23b9a8e61bd5836187db831538c428ad0c8cbdb7d5

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
8ba169f0fd80928fe368de6499368c53

SHA1
385d97467b8f8908f534bb2c59c181d2191ca283

SHA256
7a5c6f21e59c9169504ce6b763811b0c822fb7d505f0b2583718589436630826

SHA512
2582e7b2d4576922559ab9129e8c621bff304b428c5823b80a899766b8bae77a7ae52814c9ab6e78f253dffba2d1f38fd4ed4b6519f0e82cccacc53a1036d7b1

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
320KB

MD5
64a81f940cfaa32980ee0e58e83e3624

SHA1
96e9133ecd22fc45cfaacd5d748f4c06a60e2507

SHA256
ce12f33a19f308bbc0db22d3ab3628730f10d2eea9764931c582324107f25a9b

SHA512
b11602a63c2fd254a092aabd44f52af6007441a7af7e48f79298ea2b010d728d771b9f32af1843832f979ab0df41d788ae89f30401d62cab8865e8a527fc0e8a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8a7e332c98c66d8d9cbe7620cf81fdfc

SHA1
7fd1b6ecc74541cba088307c2158871d1485d949

SHA256
13cb13097c6811bdc5b097aefb655c0ac9c23f1c19870c16fb1cf32adb7d7924

SHA512
95fbbd3c7d35889cd12a56e9d68394fb1dd002b20a79ecc8f02462cd5c09b4ead1716ff551e6f16f2368e4192a4c4e13fc58145148a7d9a673a77db8807a39bc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
9071f454de020754c71074d325963b98

SHA1
d170a62d67b4cc85a7c534c908d9b087e1b970a7

SHA256
a4d612553253de5804a950190ac77f94b47ebd538edae2bab58d20a494a0ca21

SHA512
03d495c11581489d9d753dbc0f7584237a92eb57e03a538a16c4d98418880413605f8664ec8f6172ea903e1285dad3b542bf57d9b8224f1ad9c42c1ad49dc848

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fa1e6d893339d3ee532fe86300e177ea

SHA1
4a5d6cb6ff115a22090961d053bc79be4254219f

SHA256
81f82d0fd255f96a08ddea37ebcdc5b5bd889d1699ba306561bd78d70db9b58a

SHA512
f9c3e8ad750b7baa3c0ace9fd6606b0190691180b3dffc65a065c01685a6f00e1a7bfa5e1f2041268eea610fdcb08b35e434108cfdbf7f3cb0cec20c2cc9fd45

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
77349f2913f4d2a4124bf8d7539c0bbf

SHA1
627cca0c5e825e27a979687b7a4c765b603cd919

SHA256
d6646394987b3e303165b4c5f535748f302a9c7df2c3b26f81858c8f305f2198

SHA512
b3511ac72b73ac2c49b370b5a82b89187fd6034e34c98b27ebfc019a4895b6a7305a0266db0a87c2d654b7b0beb7a781259a0388c619eac0f26e8afc7d421208

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
d5927e84d932a44cce19858f4d9b6813

SHA1
1d5c3617a7d530e99994b099ce535a901fd676c7

SHA256
8d643ccd552c7828108d46318b56f746759701de75323711fce2a4932d407dbf

SHA512
a36717e8962f867afcaf8afd61f030e433e758ed48317a5505923e165bdd4629579e82ca8fe6f1cdda4b61accc9fd63c14d8b5c82ddc1822309821f28a571d1d

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
91d3142ce9c5f981e82ba5c7e446c5a5

SHA1
26806c31bd90c5f4bc7517cce193c39b07cea09a

SHA256
f40eb502429320ab196f495bb5a15a38013f92fbe01b617f30e8c00ab52a7f4a

SHA512
225b462076310f5e3bcbc8215763d22ee883f47418d43b52626ae5279e957f85934d1daad5b6d2e63f8299d5a6f38ec9c6c2fc57be2d987196c654a5e23f4bb4

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
71f9666b2b9d71536c7c7999fcfbd8f7

SHA1
71077788dc3f03bd0c662a334dd5ef3c008bd83e

SHA256
b2b87ce6b27938a05b9b741b22c3ef6938126d0e10e24b1fe8cb4b0402190ca0

SHA512
b5eb3f7e304c6a4a59d1cea3fd8649e3c0064a673cdff78802d621858571e357ea09839100bc3cd57d8cd003f90075c1c4f0abb08a04e5fb8bd941ebda61b4d7

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
f782890f37142e07e8dda27140c5f2a8

SHA1
b8c0946b9552e742e96c92cf2adb5856c3628cf9

SHA256
3e5b74cee9cdd21c6afab8579248c97975234cce6e29502262bc8e1e9aba3717

SHA512
f7ab8a57ecd5714b2927ae2b4653fad9410d2c0ee2f19698bd0e0435e9437d2da60e41a5ed6098f0ab30eeae3a839efd48b89ddc1dce66d96504cc32c2af6e8f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
9c8917d63d7b519343ec5385f6c03fd4

SHA1
53464d9343d4ee4d8cc533e5d60ddf5be57adeb8

SHA256
4a904c14e92b88cd136c957e84dd7554aa784deff6b169e4f2b9d820604d7e26

SHA512
904a6ebf028402659df31fd9884dac46d610e638a66621c2aa1c51920e9b558373c34fa4ac64e6c8d8c2517fbb73e627ebf904465408e107c2cb1ca7b037a386

Download Submit
\Windows\System32\msdtc.exe

Filesize
256KB

MD5
6799516cf6799d01628a4dc0235c9980

SHA1
360e5db6c3cb70227bdba8aadb8b5fb40d183add

SHA256
11e0db0536b4b7a617557cc00ee33cc22aa2fbae96a02d84de1c881b4810a581

SHA512
d604e4c6fae0305e4a7e916fc742eb593c99730079363f515c8ad25e00ee31eca738c1e884bfab9fa22f8cba82d25494d09adc7b0e6d196b6ac374effdda2e4e

Download Submit
\Windows\System32\msiexec.exe

Filesize
192KB

MD5
17034df8a300f3eb54d77fa34c7dfc04

SHA1
683c32846966213efa75fd8f7a57960ebd5b6980

SHA256
1c9f06e6da2cce5d82289606624bec2af63b7bee608b8a90e807c2ff59758eb2

SHA512
8d1d9b7499f014b5da4a4d1eff350ca73370fe07dfb5a412d3710789b06203e00af6d53802c27d7ec07ac26fe9279b72346201b8b7b0c0e63b8cdfbc1e407523

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
ae3c22ac902e99402159c25cf95c1478

SHA1
19d16a47bfce758bd10c35318f17c0f2053d64b4

SHA256
d26fca7e1fb47fe55cbb7a97301084323bac68f5231a16cbf945f5a039ddec8a

SHA512
f28a23e13e8e1f4ebabd47c41c771e1013f17f2ff1ce3ceb6ff1f9da7ed8ba4c76c1bc23438bb4001bd1d210cc1d0d841a0bea92f00940652ffee8563cb4b2ab

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
05739c84a6020aa2444c34c1c696b68e

SHA1
ac6990bba00f80f0611dce9bb6e07e5f5d951170

SHA256
bee865fa7d5945bceff33a832be88b452c79a150b56048b7fa5253a446df4d1a

SHA512
5b09874040ff0531396cc4f5bd941ab1f0e26b29ffe988890af7457e32d1348d7884ccee8016f3c4add1dd62f6eebbe9cf8a90a6624b2262a34596e06982a4e9

Download Submit
memory/744-131-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1208-157-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1208-286-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1208-141-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1208-543-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1208-155-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1208-153-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1208-150-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1208-143-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1488-104-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1488-137-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1504-115-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/1504-265-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1504-114-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1504-121-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/1508-270-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1508-271-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1508-267-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1508-260-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1508-332-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1592-344-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1652-280-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1652-369-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1652-307-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1652-287-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1652-346-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1652-279-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1792-295-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1792-350-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1792-330-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/1792-263-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/1792-325-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1792-257-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/1792-261-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/1792-353-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/1792-323-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-374-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2032-161-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2032-168-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2032-163-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2032-298-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2032-487-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2288-300-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/2288-291-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2288-357-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2424-84-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2424-160-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2688-156-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2688-15-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2704-112-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2704-88-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2704-87-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2704-93-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2740-351-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-312-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2740-545-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-367-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2740-329-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2808-538-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2808-542-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-533-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2856-250-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2856-0-0x0000000001EB0000-0x0000000001F17000-memory.dmp

Filesize
412KB

Download
memory/2856-6-0x0000000001EB0000-0x0000000001F17000-memory.dmp

Filesize
412KB

Download
memory/2856-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2856-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2888-337-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2888-338-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2888-331-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2888-317-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2904-368-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-365-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2904-356-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3020-173-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3020-319-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3020-174-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3020-254-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3020-255-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3044-340-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download