a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
Size

1.5MB
MD5

b5af4ab8712ca9234c163eff4b478328
SHA1

7ca3e28342ea01ac68c98f659e7010705433922d
SHA256

a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9
SHA512

1d80c47bd2f15c4e9901da6707e9bd39ae5445a7176303a8373ea027c30e11accfe98d69f555f32aac1bc492c7fc388abdda770d1561c3197e133fd15d82c766
SSDEEP

12288:mf3dK3aAXOILyiYkqMk7+KzubUtYJPfaNiBGwLFzKGMaoQWHMI+XG9:S3IThXbqT+KzWEKS0nFz1MaoCG9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
468	Process not Found
2080	alg.exe
2572	aspnet_state.exe
2872	mscorsvw.exe
2376	mscorsvw.exe
1856	mscorsvw.exe
1432	mscorsvw.exe
2192	ehRecvr.exe
2044	ehsched.exe
2592	dllhost.exe
2508	elevation_service.exe
1564	GROOVE.EXE
1072	mscorsvw.exe
2060	maintenanceservice.exe
1784	OSE.EXE
2816	mscorsvw.exe
2472	OSPPSVC.EXE
528	mscorsvw.exe
1700	mscorsvw.exe
2168	mscorsvw.exe
2284	mscorsvw.exe
2856	mscorsvw.exe
1620	mscorsvw.exe
872	mscorsvw.exe
1744	mscorsvw.exe
2504	mscorsvw.exe
2772	mscorsvw.exe
1100	mscorsvw.exe
2744	mscorsvw.exe
2676	mscorsvw.exe
2656	mscorsvw.exe
2812	mscorsvw.exe
3004	mscorsvw.exe
2100	mscorsvw.exe
1628	mscorsvw.exe
1584	mscorsvw.exe
2360	mscorsvw.exe
1120	mscorsvw.exe
1056	mscorsvw.exe
1556	mscorsvw.exe
2744	mscorsvw.exe
776	mscorsvw.exe
2976	mscorsvw.exe
1124	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\91fc4118ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC793441-C1E4-489D-9786-D28D4FA56ED9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC793441-C1E4-489D-9786-D28D4FA56ED9}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1572	ehRec.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2804	a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: 33	2384	EhTray.exe
Token: SeIncBasePriorityPrivilege	2384	EhTray.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeDebugPrivilege	1572	ehRec.exe
Token: 33	2384	EhTray.exe
Token: SeIncBasePriorityPrivilege	2384	EhTray.exe
Token: SeDebugPrivilege	2080	alg.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeDebugPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe
Token: SeShutdownPrivilege	1432	mscorsvw.exe
Token: SeShutdownPrivilege	1856	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2384	EhTray.exe
2384	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2384	EhTray.exe
2384	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1072	1856	mscorsvw.exe	41
PID 1856 wrote to memory of 1072	1856	mscorsvw.exe	41
PID 1856 wrote to memory of 1072	1856	mscorsvw.exe	41
PID 1856 wrote to memory of 1072	1856	mscorsvw.exe	41
PID 1856 wrote to memory of 2816	1856	mscorsvw.exe	44
PID 1856 wrote to memory of 2816	1856	mscorsvw.exe	44
PID 1856 wrote to memory of 2816	1856	mscorsvw.exe	44
PID 1856 wrote to memory of 2816	1856	mscorsvw.exe	44
PID 1856 wrote to memory of 528	1856	mscorsvw.exe	46
PID 1856 wrote to memory of 528	1856	mscorsvw.exe	46
PID 1856 wrote to memory of 528	1856	mscorsvw.exe	46
PID 1856 wrote to memory of 528	1856	mscorsvw.exe	46
PID 1856 wrote to memory of 1700	1856	mscorsvw.exe	47
PID 1856 wrote to memory of 1700	1856	mscorsvw.exe	47
PID 1856 wrote to memory of 1700	1856	mscorsvw.exe	47
PID 1856 wrote to memory of 1700	1856	mscorsvw.exe	47
PID 1856 wrote to memory of 2168	1856	mscorsvw.exe	50
PID 1856 wrote to memory of 2168	1856	mscorsvw.exe	50
PID 1856 wrote to memory of 2168	1856	mscorsvw.exe	50
PID 1856 wrote to memory of 2168	1856	mscorsvw.exe	50
PID 1856 wrote to memory of 2284	1856	mscorsvw.exe	51
PID 1856 wrote to memory of 2284	1856	mscorsvw.exe	51
PID 1856 wrote to memory of 2284	1856	mscorsvw.exe	51
PID 1856 wrote to memory of 2284	1856	mscorsvw.exe	51
PID 1856 wrote to memory of 2856	1856	mscorsvw.exe	52
PID 1856 wrote to memory of 2856	1856	mscorsvw.exe	52
PID 1856 wrote to memory of 2856	1856	mscorsvw.exe	52
PID 1856 wrote to memory of 2856	1856	mscorsvw.exe	52
PID 1856 wrote to memory of 1620	1856	mscorsvw.exe	53
PID 1856 wrote to memory of 1620	1856	mscorsvw.exe	53
PID 1856 wrote to memory of 1620	1856	mscorsvw.exe	53
PID 1856 wrote to memory of 1620	1856	mscorsvw.exe	53
PID 1856 wrote to memory of 872	1856	mscorsvw.exe	54
PID 1856 wrote to memory of 872	1856	mscorsvw.exe	54
PID 1856 wrote to memory of 872	1856	mscorsvw.exe	54
PID 1856 wrote to memory of 872	1856	mscorsvw.exe	54
PID 1856 wrote to memory of 1744	1856	mscorsvw.exe	55
PID 1856 wrote to memory of 1744	1856	mscorsvw.exe	55
PID 1856 wrote to memory of 1744	1856	mscorsvw.exe	55
PID 1856 wrote to memory of 1744	1856	mscorsvw.exe	55
PID 1856 wrote to memory of 2504	1856	mscorsvw.exe	56
PID 1856 wrote to memory of 2504	1856	mscorsvw.exe	56
PID 1856 wrote to memory of 2504	1856	mscorsvw.exe	56
PID 1856 wrote to memory of 2504	1856	mscorsvw.exe	56
PID 1856 wrote to memory of 2772	1856	mscorsvw.exe	57
PID 1856 wrote to memory of 2772	1856	mscorsvw.exe	57
PID 1856 wrote to memory of 2772	1856	mscorsvw.exe	57
PID 1856 wrote to memory of 2772	1856	mscorsvw.exe	57
PID 1856 wrote to memory of 1100	1856	mscorsvw.exe	58
PID 1856 wrote to memory of 1100	1856	mscorsvw.exe	58
PID 1856 wrote to memory of 1100	1856	mscorsvw.exe	58
PID 1856 wrote to memory of 1100	1856	mscorsvw.exe	58
PID 1856 wrote to memory of 2744	1856	mscorsvw.exe	59
PID 1856 wrote to memory of 2744	1856	mscorsvw.exe	59
PID 1856 wrote to memory of 2744	1856	mscorsvw.exe	59
PID 1856 wrote to memory of 2744	1856	mscorsvw.exe	59
PID 1856 wrote to memory of 2676	1856	mscorsvw.exe	60
PID 1856 wrote to memory of 2676	1856	mscorsvw.exe	60
PID 1856 wrote to memory of 2676	1856	mscorsvw.exe	60
PID 1856 wrote to memory of 2676	1856	mscorsvw.exe	60
PID 1856 wrote to memory of 2656	1856	mscorsvw.exe	61
PID 1856 wrote to memory of 2656	1856	mscorsvw.exe	61
PID 1856 wrote to memory of 2656	1856	mscorsvw.exe	61
PID 1856 wrote to memory of 2656	1856	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe
"C:\Users\Admin\AppData\Local\Temp\a26e84ba99dbac26181aef7012ca210c415f7dd0102fc39417106c0a4ec44aa9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 254 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 26c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 288 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 28c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 258 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 294 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 184 -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 1ac -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1ac -NGENProcess 184 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 2ac -NGENProcess 294 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 288 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1c4 -NGENProcess 1ac -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2cc -NGENProcess 288 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2192

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2592

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2384

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2060

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1784

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
e844cc37307b8142c99c7dca1925801d

SHA1
80a333070aa7cbc76e1bc36deb44d3f0b3116e71

SHA256
919259ac4e3a3f4b3c45c5232cbff7cb5829d934b35fd1cefee6dc8d8ad461de

SHA512
39d92b98a16fc83734e7614df1da279370b867019b8849ef1633f0ec7199080e4d75cb67328c54041c24fb893c345cf4a8878201cd60bfa3aaea7eab7464fb66

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
a64542b4d70b184af0dd6817e65673cf

SHA1
dd116a1d50cfff584a6dddba3c929367f84f921b

SHA256
cce2c9ddf7ffbb806dd43413b287877c653d433fcca9e6c025a8af77c59821fb

SHA512
8f96f39ec2b7140de1cea48891958f3e5527049c57804bb6c156f271c44381ac99fa8b590af6910bd7f479c680ecb265591e0cd432f8809ef59c50301e6326a8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
0bc2d564ddb3cbe9d318d710f019519b

SHA1
81582f61a24089e40ec4aef6a86704811ddf9fc0

SHA256
b42876c5d68b52f7ab8f5cc72024749fd2906d69717f1e16be1ed1f39dac37a0

SHA512
336d56b378b3b0d04cdf84aea7d2eea6c4f13e27ff9f2ba83c4a47919437255c460885ebf4f10b480879da7fd33e6d02f038a65564f0d9bf0395a3fe0bc8b263

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.3MB

MD5
70381aa9cee10ebc1640a9702282c783

SHA1
d2768ffc21113e4a41113211d299a51e9e4f4765

SHA256
36c4c3ba95cc26a2f473713fdb7c12f843e3decb530431a2f84c3d9b16da103a

SHA512
e61be752578d11cc518a8a270e4a73bb3180fc2a206412865ee65120e87da19c871a0d7ce04425791f31ba60d7d5dde761c042912ef65ad48ce9221be9ee9c30

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
c16e9b7f339fe5731d1e9a0bddf44597

SHA1
03b0559a409721b12b405d78f66c18477cc10d5b

SHA256
ab6d8f54c3c8345723a4af73d326c23825ae896ab84f8ba019f2403b23447fa0

SHA512
5d29e44cad14ad59281e76f836e7627c9b6a04dc1176b273243cc9cbbdf4984d99a0e68f31b557c6001e0ee2aece7d0a081bf3e21d284162fc9e65890f8aa7e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.8MB

MD5
e5a7778944aab175c13b3e7b5ff1d74d

SHA1
5af3045bf84b6df965a37d6b9f9a1127b6532c1a

SHA256
d432ebc8a190e216e3517dd7854f8201183eb0ed158f9cc0aadf190f699bdef3

SHA512
43976902ea3a29e5569aeccb5c9fd6120a985560859aabf406d4e721fca5913e93b9fa5b32bf2c2d3cd524b5e5b7b00895a6f925bf900b3587a3a3d7bb2d8253

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
9331a835ecd1643d75df20b07bd550be

SHA1
424bed9754acd700ed587f4a8b521661150ac4cd

SHA256
7ea9146997912764dc706dd9d281628d33e37c48e7bced764c736476d200ceae

SHA512
9fa3987999112dea5b7c2f061be70c92cb8dc005a4a503ac2d2ca30a641649182bbd314acaf45dbb2c84ff04faaea28b4eb3b15a07d4ece1694cb3558d3eaa62

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
78f6e1507c20264f39fb2af68fa38829

SHA1
509c30a32d1092a924fb6672dd4d9ea13e8397b0

SHA256
204b3d017c8c87d5d4b8ed120978f9d7989a6f681deb2e55954eac5823a9c2a5

SHA512
0b9aa0c370b8284956714f29ad342922b5f90a6be57e70515d003ada39bf456b059de8b1e8f47222b828df6e63f3445687f1dd02ddb4592c6a0d9f0d1b0d0c40

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.4MB

MD5
3b4ae1b331cb21820f7c42d10a7fc376

SHA1
27eb05c114af7b82ef12e0e5d660a1781d55367a

SHA256
002d761525b7638fded7ec9130d037e95bdcfb23f56d1b942bfc31fc5844589d

SHA512
2349c04911aac05357d9cd3c60bd654ff7a53f4173b18a89eebc33fded59b10898e055f16a2e7f06257032dc82548c206ec9dd1efba203caa465fbff80df998d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
11514e5cedf74d844fd076297d15fca9

SHA1
ca41568385a8f71b5e67dfe3e65d772732996e8e

SHA256
9374cb8a92a1a026f3c91c33e9d20916dadfc60af84762214860bde85ae2f121

SHA512
99297d00c59768069e9095340c85bb301811ab4a09ed91bd4f2725d53fcffb3e3680b593317938f5192d06e4711606a921c4359251349ee92e8ae230354e963e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
820b0d534fabda20741ea19e30e9b806

SHA1
1087d2310866938ab14207807b822b51eaea9530

SHA256
6d9e721a2554255ff2482ec8b4d6dd76798d7ac093866c489366b50ec794a534

SHA512
beaa10a7ad6432dc2b8ae1fe3c47a55414d62f1c06276beaf8f23a91f2f30ec4c22ad494dd2f5bd0a6654aecfd3089388659d934861206def5559d8c31864446

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b55a570bf9cbdeaf3933736a99830d5b

SHA1
72f6cc747a293c7c2c70417532009878d61afb4f

SHA256
18d798940345a510abf24e53c793585aa7e0e7c7c071af81afeeb9037261762f

SHA512
e0fab40c81d3df2837a6979c15cad63f18c016f912bd735b3c8c7d1e170d2b3f5974663b2e82abe7019a253368fa9665b129068f4b345c5d126c7464c39301d2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.9MB

MD5
64aa02ebc9ccf8aa8252067d5742cf1f

SHA1
a7bd2ff5cfc06797f2ced6d90f0ea5a9ea02a4bc

SHA256
fc2dec46726e33e53a1eb2ea1c4b267a9d96d62c7ae186ce1ec0e862a739087f

SHA512
cd528ddd00694e412abf93d74a083f06a2f07ac9a45f713219d2ef394c55c2b6e000c8c601c86ccac072224f2ae934924b3fee5b8d0e9004b6ef7d452f6bc26c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
848KB

MD5
5369d73168d7287c6722f883a72d1336

SHA1
9a407c77b496279cbdb0e158a0b3d5340775bdd2

SHA256
65acc253f765007fa07aae9d5618defbe572b226f77a1e8188796e20fa11646e

SHA512
1ed3dc3401c15302451989332f63aa9878ffa2ff4de966020a29be5d5ba95430c33d9ede424fac51c344b98fb6ee1841c2f40cc5439a9241ae8b2a83e14fb0b8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.2MB

MD5
6510b15a824df08704020402a89216d1

SHA1
346ad23c382638c08fb44fa0856bbf2694e85409

SHA256
057896a0cb4f00c5780593c478ea87628467b04d2a77bc6aa4697df74ebae7b0

SHA512
cc763032f909605cf2e5622aab5f0fabb5fc6711529676d10158a028876ba6addfdd333bc530572664c21b495c1268c68b7f58d3227b4c479984b8a44f35d375

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.3MB

MD5
38d5d641d4b5a063e747b88eba4d50e2

SHA1
76349cb6ed07c8e5906c50d80d3ff738627ca0cb

SHA256
83ea78641508c48b6805169df8d6fff1d85cad719824636802537305bad27b3d

SHA512
56271fe21d6fad60701e08b670d883d76e1a5ec14b62f5ea4b0d56c0f3085854657856147e283248695e5207382e827d675ca9ddbea186d376b549b4232da17b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
554f08b47c4cece99f40cca32718b02f

SHA1
9ae7733a11a840102c5ea39b82c5afebadb1c179

SHA256
0eb7c1ad12f278886d7400bbd4593ba5c67ed39423e8b182335f8830e0d5e3fc

SHA512
5b40e5aa4d2a7d45b5ff53c556dbff67ebef441b72168dc6984bf138d9bd586e5b3813f7a5f7337e2ccdbb0d226fc3d97bc0976c58f5657c821e8b44bbd542dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
04cd7d8d1fb2b3de0c2befd161612713

SHA1
ac40b77b70d7459852300ed277cc4612813efc70

SHA256
9c0e71c6678dcac6839bdb451377702a8d2220805626b4e27d25a2c6b54ad5bf

SHA512
e6c380d0a9f004d9695a6f8def0947808e28b56e97e554416fbc97f38cc4948db0db6364ff0ce118e0d75b8b0180e75650ebb424a41ef6b15d4da13362fb4c0a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
71a554b391931cfea288e7d69991cff2

SHA1
b843b06c6c963a87dfbc8a88ae68d983e252a9b1

SHA256
1f395b9360d58bf59173cb91b628a1d6b0a27c3f5d8534c9e98a8f24e6179781

SHA512
3705ee7c3317ecee6cff12022e451eaf57ec9d46adcc6db4f34bfa6ea48549d1e825ed1e8dc05a7aef447a8147aabdc48054edc39440a3db98b98f8c2a1c8649

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
f62810a78e9c3a0ed25fae05e05509f1

SHA1
879339bad1013d825bab4e3151985ed25ba4cb23

SHA256
e454e66279eb9aed61c8d51ff95e679810612f44adeb1be8afdad108f3f9c5fb

SHA512
f855defeb0dd90439c614baec63ec2e8c6da732be4b981ce50b5ed66c9ad29c3d7a795fcd8f7d5b48bf7f2465c72e830d318e05a1c2c93413791fea12f3e6042

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
e7c389e6b5911954ff77dbc34029f0ec

SHA1
90fd4b0072bf5c26ce1a2e06ee33877822556eea

SHA256
58295d370e97dcd9eca09e39fd6fdb6c1c396158a5ed822e7a7e90f4a78cb755

SHA512
0536ea1dde50c0fc7cbb4709b5bc1a51f8fa85ade1a6aa9387d26e647a2c9828be26aeb00c97b94dd13279e9b9269d3f525b2456036f4258e16fc8df9b1a1b19

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7e3a242a6f6a4376124f87a7bdb62a4e

SHA1
636e05713108ba50ad52e0812be1bcbd078a3b7d

SHA256
424cb0d3d5ba5a288e53909674b224848b317ba05da55251062c75b5e325917f

SHA512
954ce4e50c75f8cb07c27b74013eccc039ff87daf087f90ad3397e9655abf8a188eda1bc7ff176b65163d1325376ad9e42400bb2433fbb60c935bdf3705aaef6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
466KB

MD5
1bf500e9522e421505bb24e4900cb25e

SHA1
0e06f6493ab8a227917a819a1f7c227727e6596d

SHA256
f5e8b997ae7eace16d9f98c294c4f33c1a21b5fe89fc6cfdf7b37ed5a58af5c8

SHA512
811b2fe513c31319eb56989557f872509ad7b57491ba25e60135feaa914ea1bcb1e98330e7301c543d186167b53883aab35e908263d96246dce319c54094c857

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
393KB

MD5
f377badd3086646c96f3b5526c8fcb03

SHA1
890bde07238bb38b229fcc64c8611786318694a1

SHA256
6ce8812f6e1404fcdc3d50550169e001e7ec77029f18cde0803a02fae809eac3

SHA512
e506c7839717eaf9552313eb3598c5b779f7e33adccf12d4ab96e38c7c089855ec7e9ee9b4e4c50133d7d3c82da71f400216990d7f78493a0b663d38c2d137e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
a4dfb3dc3c07dc156a0c89bb8f24f2b8

SHA1
b86ce1c2b907716adfbd954ec2f18e090dd8438d

SHA256
8e36e725a9c441807ff3de6e36e14e9fb704476334d13fa490f43fab3fadee23

SHA512
fc9f60b8b0a33a6773f7e3502ca94c9e0cf38430451498bc531361091c85a8bf940cd210f2762e97188b85523a27a318b2521f80bfceed970c2e1a66be9f5144

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
320KB

MD5
ab473b8a749ae0d656fa6a69603d49c4

SHA1
de4abea2f5738d7c0ffaaf0f10544635cc4f2963

SHA256
644e8a212d8145fa87bddcaa2e2439cc001a37a09437aaeaca1c80ee9126cee4

SHA512
62631807d93ce31643d8d154ef7b746974426bce0108d27785fb884c671f37ed2cf6822092bd21fa9900e075cceab51224c17a86918dca0d85af76eb6f56a1e3

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
704KB

MD5
255850af48eb38e17eaba66de13278fb

SHA1
da09b4e563c9802d0eca1f8fc797d76aec804075

SHA256
7f0ff04d68e6d9e9e589321cdd6bca86add506bfda098419c53456b5c6c581f7

SHA512
b667c3743acb7dc78cfaa5e4a9bb770cecea123b573d64dedd03195a6f18c069eba399307b92fe606bd9e8a88ebd1066d6d395fa931c5482f724b0d05f735ae5

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
9192963d040ffa8536640f35f498348e

SHA1
c8ab0b1cb4e852c56893f7755712843261b6019f

SHA256
8bd68500b91d1e9f6d9b4bfbc4385b8721c5a971297e496fbcd38933932de2cf

SHA512
ef599954b7eda7d5757bfa366e9755e39e274d3aeb45c14985b9f79fabb335d18ff47e8c05155133fe0612df8d6e543db4a26ddc3814ffdb3556cba6e3f54668

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
c33f5bc8fa7cf2e08db032caf05a6b2f

SHA1
8faed47cbee3567a87571135d8da9cdeafbfcadb

SHA256
7705a00531b9d4777057b015536b08c1f1a99cb0a43da823efc1a6c3aab47b61

SHA512
2a0fcc6292b46679f068ad30d7588cdcb5407240ebe711b2796027abed0abd1d30decccbc146e83a1c4e3aeac71d0bfea2eb021f70628e3b53bf4291549fea4d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
dc04fb06c20d382b8e7bedb31097e55d

SHA1
0ae7ffa4f351b84bddea399ce1cc3e6f771ef859

SHA256
5a7d2494ae58847323bacd0122693a76375d74cdce447f765b9df968bc84c9f2

SHA512
42a50475d81b67a7635623f02cfb4c5429e76e8c3feb84ca82d43958b9f5680944160750ae29dd9cf0afecbfa3c0b9b91bacb6b1b9afdf9e0edd79c604691285

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
0e21dafe624931822e0a0d21a49d7234

SHA1
a4471be6152ae233825e73fb98f32933c68228cf

SHA256
76a5231e2dd09a21613487df8b31e547fab9ddd8f5806d3c1743378642e4fa7b

SHA512
f434cba2fb66be27dd88c48c13bdbdaf372dda1c67bbe1df734f8496875537fee7986c52a4de26b0548f4bae40408ae1f355faedba51ec0cedcf502a41f15c61

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
552211c7e15f91e5f46453146565bb20

SHA1
e1bf21130ca71390258c03c3b75b519f91fb5d34

SHA256
904932c9051cdf6f5efc70495ff08c3f3e4a79be35875960f493d79eb99f305c

SHA512
ce88b9c0e5e6255965f392e8757b4cb036912858f368c9a4e791f6fbcbed9215b1e9d2ebe9c36163a02a2c04f4ed095b9452c8a0a421c8ea48957acde5b406c1

Download Submit
\Windows\System32\dllhost.exe

Filesize
715KB

MD5
d41d05c072d9c902cd30a62004bf40c8

SHA1
dba1b2c3415ca6a775cd984862ef6cf6b719fe44

SHA256
8d157d018411a2daf47742de531af97dc5fad52acc485d1abbe35a67034e21ba

SHA512
a5311d7464fe99f5614041796e17c03493a8963dba6180bc5a091b6b4e3f19984ec6814ae209cc2a67a21d8680fc91618ee2f8fcd8aa4b745b68be1f8c82d51e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
419d3a83a8dd6bd63d837a8a92a50d7c

SHA1
4eda3807c091078d504d57d71165631d01de5ad4

SHA256
31ac0cc7f3b1a5f30ca65c14407da33298f3988423acc211944e25b6ea894629

SHA512
aca42fc36b40e1af537e364660d549bd6031890b7513f78a2e8601fa153e4a06db5e01735c7ef331fc725e47135328f7abddb25cfc1badda98c553dd96ce6f9d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
128KB

MD5
28c882a2f8149ecd37a9b4cac520790f

SHA1
9eebc5f6f4f4939ce3a7c8123f659ed7b9454b68

SHA256
4c03870de3690afd7d5277f95e5973ee41923b2baf9e1dc019923e06557a367d

SHA512
57e0c19e2edc26f7131886e1561d915dea451883e9f2b43b2258f0ffeceda4c0f76b14b59c3b3973836b01a973057811bc1d7945add0f02b2ca0608c084d82b3

Download Submit
memory/528-247-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/528-254-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/528-277-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/1072-228-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1072-195-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1072-197-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/1072-204-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/1072-227-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/1432-154-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1432-85-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1432-78-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1432-77-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1564-294-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1564-199-0x00000000003E0000-0x0000000000447000-memory.dmp

Filesize
412KB

Download
memory/1564-159-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1572-193-0x000007FEF3FD0000-0x000007FEF496D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-300-0x000007FEF3FD0000-0x000007FEF496D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-188-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/1572-272-0x000007FEF3FD0000-0x000007FEF496D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-186-0x000007FEF3FD0000-0x000007FEF496D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-273-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/1700-353-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1784-304-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1784-201-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1784-202-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1856-139-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1856-66-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1856-60-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1856-59-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2044-109-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2044-121-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2044-112-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2044-225-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2060-187-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2060-185-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2080-14-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2080-13-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2080-20-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2080-94-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2080-21-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2192-233-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2192-114-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2192-95-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2192-203-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2192-111-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2192-122-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2192-96-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2192-103-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2376-51-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2376-73-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2472-234-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2472-231-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2472-340-0x0000000070A88000-0x0000000070A9D000-memory.dmp

Filesize
84KB

Download
memory/2508-149-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2508-252-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2508-144-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2572-27-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2572-108-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2592-128-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2592-136-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2592-238-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2592-127-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2804-0-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2804-76-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2804-120-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2804-1-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2804-7-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2816-232-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2816-260-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-243-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-258-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2816-208-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2872-30-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2872-31-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2872-37-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2872-48-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download