c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97

Analysis

max time kernel
155s
max time network
187s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
Size

1.8MB
MD5

02a9ac55d45cba5c727b2b5d6c47d97f
SHA1

d60fc21f51f8d3289731e689e8270478b63e9ea4
SHA256

c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97
SHA512

181e407f3ee2fdc5cf6873ebadf1f0396c60e17dc894c8416d3c7b582e40a5a9053a839e48e85f7c7669629b3f9537e48306517269cd17d967b3648ee985258b
SSDEEP

49152:/x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAVCks7R9L58UqFJjskU:/vbjVkjjCAzJYC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
468	Process not Found
2880	alg.exe
1088	aspnet_state.exe
2832	mscorsvw.exe
1900	mscorsvw.exe
2208	mscorsvw.exe
904	elevation_service.exe
1268	GROOVE.EXE
1992	maintenanceservice.exe
2708	OSE.EXE
2684	mscorsvw.exe
2476	OSPPSVC.EXE
2660	mscorsvw.exe
1620	mscorsvw.exe
2324	mscorsvw.exe
2152	mscorsvw.exe
2688	mscorsvw.exe
2984	mscorsvw.exe
1708	mscorsvw.exe
2428	mscorsvw.exe
2224	mscorsvw.exe
2360	mscorsvw.exe
1368	mscorsvw.exe
2068	mscorsvw.exe
952	mscorsvw.exe
2260	mscorsvw.exe
2092	mscorsvw.exe
1484	mscorsvw.exe
1864	mscorsvw.exe
2884	mscorsvw.exe
2788	mscorsvw.exe
588	mscorsvw.exe
1544	mscorsvw.exe
3012	mscorsvw.exe
1368	mscorsvw.exe
2592	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cd26c4779b392089.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_el.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_id.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\psmachine.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_en-GB.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_es.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_it.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUTC38E.tmp	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\GoogleUpdateComRegisterShell64.exe	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\GoogleUpdateOnDemand.exe	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_pl.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_uk.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_nl.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_zh-CN.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_mr.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\GoogleUpdateSetup.exe	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC38D.tmp\goopdateres_et.dll	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2080	c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	2208	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	2208	mscorsvw.exe
Token: SeShutdownPrivilege	2208	mscorsvw.exe
Token: SeShutdownPrivilege	2208	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	2208	mscorsvw.exe
Token: SeDebugPrivilege	2880	alg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2684	1900	mscorsvw.exe	38
PID 1900 wrote to memory of 2684	1900	mscorsvw.exe	38
PID 1900 wrote to memory of 2684	1900	mscorsvw.exe	38
PID 1900 wrote to memory of 2684	1900	mscorsvw.exe	38
PID 1900 wrote to memory of 2660	1900	mscorsvw.exe	40
PID 1900 wrote to memory of 2660	1900	mscorsvw.exe	40
PID 1900 wrote to memory of 2660	1900	mscorsvw.exe	40
PID 1900 wrote to memory of 2660	1900	mscorsvw.exe	40
PID 1900 wrote to memory of 1620	1900	mscorsvw.exe	41
PID 1900 wrote to memory of 1620	1900	mscorsvw.exe	41
PID 1900 wrote to memory of 1620	1900	mscorsvw.exe	41
PID 1900 wrote to memory of 1620	1900	mscorsvw.exe	41
PID 1900 wrote to memory of 2324	1900	mscorsvw.exe	42
PID 1900 wrote to memory of 2324	1900	mscorsvw.exe	42
PID 1900 wrote to memory of 2324	1900	mscorsvw.exe	42
PID 1900 wrote to memory of 2324	1900	mscorsvw.exe	42
PID 1900 wrote to memory of 2152	1900	mscorsvw.exe	43
PID 1900 wrote to memory of 2152	1900	mscorsvw.exe	43
PID 1900 wrote to memory of 2152	1900	mscorsvw.exe	43
PID 1900 wrote to memory of 2152	1900	mscorsvw.exe	43
PID 1900 wrote to memory of 2688	1900	mscorsvw.exe	44
PID 1900 wrote to memory of 2688	1900	mscorsvw.exe	44
PID 1900 wrote to memory of 2688	1900	mscorsvw.exe	44
PID 1900 wrote to memory of 2688	1900	mscorsvw.exe	44
PID 1900 wrote to memory of 2984	1900	mscorsvw.exe	45
PID 1900 wrote to memory of 2984	1900	mscorsvw.exe	45
PID 1900 wrote to memory of 2984	1900	mscorsvw.exe	45
PID 1900 wrote to memory of 2984	1900	mscorsvw.exe	45
PID 1900 wrote to memory of 1708	1900	mscorsvw.exe	46
PID 1900 wrote to memory of 1708	1900	mscorsvw.exe	46
PID 1900 wrote to memory of 1708	1900	mscorsvw.exe	46
PID 1900 wrote to memory of 1708	1900	mscorsvw.exe	46
PID 1900 wrote to memory of 2428	1900	mscorsvw.exe	47
PID 1900 wrote to memory of 2428	1900	mscorsvw.exe	47
PID 1900 wrote to memory of 2428	1900	mscorsvw.exe	47
PID 1900 wrote to memory of 2428	1900	mscorsvw.exe	47
PID 1900 wrote to memory of 2224	1900	mscorsvw.exe	48
PID 1900 wrote to memory of 2224	1900	mscorsvw.exe	48
PID 1900 wrote to memory of 2224	1900	mscorsvw.exe	48
PID 1900 wrote to memory of 2224	1900	mscorsvw.exe	48
PID 1900 wrote to memory of 2360	1900	mscorsvw.exe	49
PID 1900 wrote to memory of 2360	1900	mscorsvw.exe	49
PID 1900 wrote to memory of 2360	1900	mscorsvw.exe	49
PID 1900 wrote to memory of 2360	1900	mscorsvw.exe	49
PID 1900 wrote to memory of 1368	1900	mscorsvw.exe	50
PID 1900 wrote to memory of 1368	1900	mscorsvw.exe	50
PID 1900 wrote to memory of 1368	1900	mscorsvw.exe	50
PID 1900 wrote to memory of 1368	1900	mscorsvw.exe	50
PID 1900 wrote to memory of 2068	1900	mscorsvw.exe	51
PID 1900 wrote to memory of 2068	1900	mscorsvw.exe	51
PID 1900 wrote to memory of 2068	1900	mscorsvw.exe	51
PID 1900 wrote to memory of 2068	1900	mscorsvw.exe	51
PID 1900 wrote to memory of 952	1900	mscorsvw.exe	52
PID 1900 wrote to memory of 952	1900	mscorsvw.exe	52
PID 1900 wrote to memory of 952	1900	mscorsvw.exe	52
PID 1900 wrote to memory of 952	1900	mscorsvw.exe	52
PID 1900 wrote to memory of 2260	1900	mscorsvw.exe	53
PID 1900 wrote to memory of 2260	1900	mscorsvw.exe	53
PID 1900 wrote to memory of 2260	1900	mscorsvw.exe	53
PID 1900 wrote to memory of 2260	1900	mscorsvw.exe	53
PID 1900 wrote to memory of 2092	1900	mscorsvw.exe	54
PID 1900 wrote to memory of 2092	1900	mscorsvw.exe	54
PID 1900 wrote to memory of 2092	1900	mscorsvw.exe	54
PID 1900 wrote to memory of 2092	1900	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe
"C:\Users\Admin\AppData\Local\Temp\c0e92d9cc901ecddac77d02d9fe82f29b094c84befeb5bb2b5db4df7b8aadf97.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 240 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 1d4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 280 -NGENProcess 1d4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 290 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 288 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 278 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 28c -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 294 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 2a8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 29c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b4 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:904

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1268

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1992

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2708

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
09c2a611479c24ae75a7e80992bc533f

SHA1
adcc6bb21fcfc964b7861bafd2f59cb4a886a7b8

SHA256
a94305e2c42ee4f4888478c0630a3c06fe23e2e62cf3945dab4bc7d2a6c79a6c

SHA512
cf6950c3aceb514679d4eadd7192b5fa0d09aa8b3e818dcaff5720b90cf2b51cd8c416fca024cc642edf8577211b9af080cfa442f4dd3daff83d08c39c841ae0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
7.9MB

MD5
6ca17619fd44f1737eb087e98bbd6631

SHA1
1b0ba00bdf045eb67b4fe956eddf44ac2a82441b

SHA256
afcbb5c2b25f44dc2ef4626eb5fe8e99fbe427a2a4e4daefda2f62af8827455c

SHA512
50e801b0ddc38fecf91a161fe9b37cc98b2438e5e9d4bea8e9b75bfa8b878e9ad4fe953ee018d2866fc711607a79ca49aadd639d1cfb45bb350b12d9b5a07aa3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
603da9003e6c9ee3d69d06d52f067d57

SHA1
088d9dcaad92068f5c78184656c94983335079e3

SHA256
17672fa616e51626e80c9a03f1c21ef9a0c03f9bd3fb92f4909d8454887ec492

SHA512
262b65d108436d20e6ae74180455fe1754a9b7003ceb24c923ff9f50c15e1db67872d61641476c1decf2039538ad40b2a7b772866adf3639109d59c06903fd13

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
19196ad1ba13e93fe4d50ff3db90c8b3

SHA1
dfc3ef5b81b0393088024fc8ecdbea432ad19a4d

SHA256
34ae9b066ee8ebc4f7f4150b5f0df976ade90e64e8ca34fea220ea262a11f959

SHA512
0970cdc386e92e9c42c90470cff0f2ed19c8c04d02e0cea5923c8742e04390b5b815382156136b884e7740109147823303943924069ff536a27197ed91b7cea1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
abe39680ba439e384e820fd1a09daa5f

SHA1
2bbac963617fa7719182f6e633031de6ed0680cc

SHA256
387595ff0969140c3df25e308efd92a65b89250a9405346b695b1058f9e909de

SHA512
99df5e47963455de5f7738ec0c2926ec538cf5a3f71bb462429604ca1d1b2071965a02f3d9d0b29b1e59b0f89834c465e54b833a7a368d157c8d36f1184737a3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
960KB

MD5
4efa8a481a9fc2349111e1ce7bca7cde

SHA1
2dfc0d2856517d7652a24bb32bf473c7d4df0124

SHA256
cbfbc3fea1c97fceb043c6f1e47966180849873ff712a25308ade6c78e6115af

SHA512
5508366e41dfa7acd2de23f4000bed90a45313eea7d93d222b45d7912b886ad2843cb2132c2423535a0437cb3e894885c4729d741aa87fa2a597671e0278b58d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
18067df96468fd5cd0da057c262cdacb

SHA1
822cb046156acef2a46cf0a000b716f4e64eaee7

SHA256
a5922137304f8da020610a019f1f706606343ff437f098a29611970c823ce8c7

SHA512
e5bf4be80a81b5b355e650463e4597dd6aaa9ccb85bbec3eb43c4411adbfffa7cf03bd624764cbc16a4ec835c441160695d8bef48be18a4ea10ddf0650a8666d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
832KB

MD5
c1dabe60c966bd4ffbd0ca03d324d0cd

SHA1
4510c229a75756b5d9e4b28b3866ef3711b6d5fb

SHA256
266b5f09c1a505a160e603c9e52a1bdde9dc9643c73195abdfaf931965b16343

SHA512
cfb71dee856687da67336e8b2ba07ffa368308f762c8a1cfa3c075cf7e1f0570e4dc962f374f181e4775bea7ac9e3e4c3fba45a8bfd91c5165b2a4db7c8ed173

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
d253ebb6fc67a29c6d339b1c120d822c

SHA1
47f88ddfeeb9e300a9449277e7c8bd2fdf76fb56

SHA256
9dbb9e890bdb17db507d5d6400c894ccb09686a7a2241addff5ff213feea6db5

SHA512
57b40fa09d7370f288adf96cec3b62b5ba4eeb104efe1df2db71c6e12316cabb0546f2c7eb55eee72afb4fc8f66ccc2ffa04189384b61d674c4af050e02ea755

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a53a7026bc281927da7a38c0fc2a4602

SHA1
3549ecb4fa5fa275a63f98b3bf6df9de5b8cdca7

SHA256
98f9e4d94c03a1a16ae18ba4ce35bcb146b2ca97f3fb0b2ca1f4d8e5eef6ece7

SHA512
d3756ee08f701fa0e33cd9394c0eaaab9705f2a72f7b70523ea9a58d438dcbad07a9b63c7c4e65425e8b42734b25712a1e7a4167e2e88d1088e8974b0e3aa080

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
330b21e65ddd2fd9e394284a0e3f3789

SHA1
90552027efa2400a231879bd6c4d3b5d0f5f75fc

SHA256
7b6ae50e0bf0f7123af2996df53952a84da3df289124707e62c900b31c816b9e

SHA512
b7406d5eab51722a8fcfe1caec189a58b44ec9e519150bc0b0b15ff0e8cc24c7698eccee2469ed0db8509872cce41b332c2373a13b332b6451fc1afc9460e796

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c3a444ceb9bfef911e8f3d1ca1bc4d10

SHA1
f4adff578a96231952a38cf765bd6be8d112944e

SHA256
3aa53b7af3830a990ddf2d1e8a84c28977809ce8991da3f4527bae9158f8ab76

SHA512
444366815e5514b2e0ae1ba2a7311ab70af8eb8aa2503d722627730228fe0c27db041b88fdff8f1c361c55b6c15bdd5e53a9b295d1fe2efd5d15f48b85bc1843

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
704KB

MD5
beeab71252a9cd77f78388dd01239cce

SHA1
dc4f1a20d229014c5691147c430b6daaa5ddfb74

SHA256
34e8d420c7b133eebd7552acf79cfd1d4a87bb35106876afab45b41e1217b266

SHA512
3f2afe9e35646315ce15084926809388a1d9db08090f178a3820e68b4ba2fa722aea25ec827b03373a40b393dbda9e06b8e8785cadf19310b0bd0138d5e23d7a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
432a6bfbab69700910220758cf94e22b

SHA1
9e250f4bdd599870a0eec950e7afa485a234a509

SHA256
ab7faa0ec092c978a7399d39fa669ca38fd4264e4d12cf5db461f0a777095a37

SHA512
eb1d8c7df2f19b30b794558e7c151f461995a072659a0ddedbea4f844ba239d7c77a7b1e6a38bbee19d9d99203dc74dd90225c10354bc7bec28c3885ecc3f541

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1024KB

MD5
9b988952b5816afb02cef90499aaec93

SHA1
e712c605c859521100e7e24dbfdaed3aa471482f

SHA256
465268152384199c8cdae59e4a4c32c4f26157f3a64134dbb716e1f921cc90ce

SHA512
915f02945d9134a14fba27c943b601f14952b85852e800a0432f21cae94d3cdf588531098df88079f21b7cac96853cd6aee4c3ac5fc6f7f02f52d410a79fb136

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
70e5dfc129b89dbc7e2970975b8050ee

SHA1
dfdcedb58de1437b50d5cd4acb4ffb4128b4ff1f

SHA256
d0519cb11f6bb4199d753f58895bc0e6a235560ef63448c280301d469515b728

SHA512
30cbbf51121f463e75ebbdda9b537d24ed0bbafdc30b6443b7e8424b2f7976266c60d9c833fa457c9343852b3cae514f33729d87409cb67d05b1bab2e35bdf2e

Download Submit
C:\Windows\System32\alg.exe

Filesize
384KB

MD5
7c47266f4acfad866d656f0b026c60c1

SHA1
a2d328f17bdf03f62217a44adc9c0d500096b880

SHA256
6a80e9964c2bab1fd2008c7bce85114b7e432ae17c070b4a3535fbb15de8dcda

SHA512
30df97a9d4566df3e997b91d89a24583d322883b782a2c824e24c858cca7608032d112892f0d264a089f891d14e81d64af44aa6a04e7995bd18827a034105ff5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
38ea0dc8cf4988593c941eced450e63a

SHA1
5450a76723f57a649cdb40fbe5643d627b5e5197

SHA256
9af01e14c9f5e7c9b7158b569fde6a1ffebde7f774de37b497b0368a2e189d4b

SHA512
c1f01400514894438c349f1a532fdc42cfbfe6ec371f6e3dbb3fcfc00d8d7432e7afec0a5b0a1dd810531701b4bf326c7b3d00a4dde1e807ee70fe7018da5bc1

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
13b8963e348f2d5d16cfd9bdd23e43ad

SHA1
4a2b9d3dd5cf8912601dc8000f15b8ddcec20738

SHA256
075ab7375e33dbb36f409bc7b55fab9f897a5cf6af12d7020c601acea8a69461

SHA512
68f8364c4ac558d56d3db58329dca8a846573d69fdc2a0172054a5ea2d59b703a6477d4d1074a10d169bf4a0cc88eb7e3dd41749a7902b416e7b968bbc389577

Download Submit
memory/904-231-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/904-260-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/904-230-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/904-226-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/904-223-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1088-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1088-212-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1268-244-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1268-240-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1268-263-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1268-235-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1620-374-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1620-343-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-375-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-320-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1620-331-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/1620-335-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-341-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1900-247-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1900-184-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1900-191-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1900-185-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1992-256-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/1992-252-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1992-249-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/1992-267-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2080-169-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2080-1-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2080-6-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2080-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2152-431-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-423-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2152-460-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-400-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2152-461-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2208-203-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-258-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-210-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2208-202-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2324-430-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2324-392-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2324-353-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2324-372-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2324-429-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2476-308-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2476-289-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2476-342-0x0000000072BE8000-0x0000000072BFD000-memory.dmp

Filesize
84KB

Download
memory/2476-332-0x0000000072BE8000-0x0000000072BFD000-memory.dmp

Filesize
84KB

Download
memory/2476-338-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2476-304-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2660-314-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-311-0x0000000000BD0000-0x0000000000C37000-memory.dmp

Filesize
412KB

Download
memory/2660-333-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2660-334-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-306-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2684-316-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-273-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2684-284-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2684-315-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2684-302-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-449-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2688-459-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2688-463-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-279-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2708-264-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2708-328-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2832-177-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2832-178-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2832-171-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2832-221-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2832-172-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2880-201-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2880-67-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2880-60-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2880-58-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2984-468-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download