b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce

Analysis

max time kernel
163s
max time network
172s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 00:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
Size

1.8MB
MD5

fd440eb771ba4548dea4ff2751ddee77
SHA1

7e8548fa5f63fd5ba406b9e9ae488560267d5c24
SHA256

b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce
SHA512

a6d64e9b0a82d5301827ab5cb41a93b78985bd0bc3f4655b24e3bf2b4c22af896e9c5c484893a56d732034cc8baddc659060eca32215a96d92632993deb2dec1
SSDEEP

49152:7x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAykQ/qoLEw:7vbjVkjjCAzJBqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 38 IoCs

pid	Process
464	Process not Found
2592	alg.exe
584	aspnet_state.exe
844	mscorsvw.exe
2536	mscorsvw.exe
900	mscorsvw.exe
1280	mscorsvw.exe
1900	elevation_service.exe
1888	GROOVE.EXE
2900	maintenanceservice.exe
2432	OSE.EXE
1636	OSPPSVC.EXE
1148	mscorsvw.exe
2168	mscorsvw.exe
1492	mscorsvw.exe
1792	mscorsvw.exe
2484	mscorsvw.exe
2768	mscorsvw.exe
692	mscorsvw.exe
2856	mscorsvw.exe
1768	mscorsvw.exe
788	mscorsvw.exe
1832	mscorsvw.exe
1740	mscorsvw.exe
592	mscorsvw.exe
2892	mscorsvw.exe
2676	mscorsvw.exe
2512	mscorsvw.exe
2524	mscorsvw.exe
564	mscorsvw.exe
692	mscorsvw.exe
2856	mscorsvw.exe
1604	mscorsvw.exe
1096	mscorsvw.exe
1556	mscorsvw.exe
2932	mscorsvw.exe
2272	mscorsvw.exe
3008	mscorsvw.exe

Loads dropped DLL 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ce5ef00b9a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_fa.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_lt.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\GoogleUpdateOnDemand.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_el.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\GoogleUpdateCore.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_gu.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_no.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_pt-PT.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_iw.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\GoogleCrashHandler.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_uk.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT88FF.tmp	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\GoogleUpdateComRegisterShell64.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_sk.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_fil.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_ur.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_zh-CN.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM88FE.tmp\goopdateres_ca.dll	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2404	b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeDebugPrivilege	2592	alg.exe
Token: SeShutdownPrivilege	900	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	584	aspnet_state.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1148	900	mscorsvw.exe	40
PID 900 wrote to memory of 1148	900	mscorsvw.exe	40
PID 900 wrote to memory of 1148	900	mscorsvw.exe	40
PID 900 wrote to memory of 1148	900	mscorsvw.exe	40
PID 900 wrote to memory of 2168	900	mscorsvw.exe	41
PID 900 wrote to memory of 2168	900	mscorsvw.exe	41
PID 900 wrote to memory of 2168	900	mscorsvw.exe	41
PID 900 wrote to memory of 2168	900	mscorsvw.exe	41
PID 900 wrote to memory of 1492	900	mscorsvw.exe	42
PID 900 wrote to memory of 1492	900	mscorsvw.exe	42
PID 900 wrote to memory of 1492	900	mscorsvw.exe	42
PID 900 wrote to memory of 1492	900	mscorsvw.exe	42
PID 900 wrote to memory of 1792	900	mscorsvw.exe	43
PID 900 wrote to memory of 1792	900	mscorsvw.exe	43
PID 900 wrote to memory of 1792	900	mscorsvw.exe	43
PID 900 wrote to memory of 1792	900	mscorsvw.exe	43
PID 900 wrote to memory of 2484	900	mscorsvw.exe	44
PID 900 wrote to memory of 2484	900	mscorsvw.exe	44
PID 900 wrote to memory of 2484	900	mscorsvw.exe	44
PID 900 wrote to memory of 2484	900	mscorsvw.exe	44
PID 900 wrote to memory of 2768	900	mscorsvw.exe	45
PID 900 wrote to memory of 2768	900	mscorsvw.exe	45
PID 900 wrote to memory of 2768	900	mscorsvw.exe	45
PID 900 wrote to memory of 2768	900	mscorsvw.exe	45
PID 900 wrote to memory of 692	900	mscorsvw.exe	46
PID 900 wrote to memory of 692	900	mscorsvw.exe	46
PID 900 wrote to memory of 692	900	mscorsvw.exe	46
PID 900 wrote to memory of 692	900	mscorsvw.exe	46
PID 900 wrote to memory of 2856	900	mscorsvw.exe	47
PID 900 wrote to memory of 2856	900	mscorsvw.exe	47
PID 900 wrote to memory of 2856	900	mscorsvw.exe	47
PID 900 wrote to memory of 2856	900	mscorsvw.exe	47
PID 900 wrote to memory of 1768	900	mscorsvw.exe	48
PID 900 wrote to memory of 1768	900	mscorsvw.exe	48
PID 900 wrote to memory of 1768	900	mscorsvw.exe	48
PID 900 wrote to memory of 1768	900	mscorsvw.exe	48
PID 900 wrote to memory of 788	900	mscorsvw.exe	49
PID 900 wrote to memory of 788	900	mscorsvw.exe	49
PID 900 wrote to memory of 788	900	mscorsvw.exe	49
PID 900 wrote to memory of 788	900	mscorsvw.exe	49
PID 900 wrote to memory of 1832	900	mscorsvw.exe	50
PID 900 wrote to memory of 1832	900	mscorsvw.exe	50
PID 900 wrote to memory of 1832	900	mscorsvw.exe	50
PID 900 wrote to memory of 1832	900	mscorsvw.exe	50
PID 900 wrote to memory of 1740	900	mscorsvw.exe	51
PID 900 wrote to memory of 1740	900	mscorsvw.exe	51
PID 900 wrote to memory of 1740	900	mscorsvw.exe	51
PID 900 wrote to memory of 1740	900	mscorsvw.exe	51
PID 900 wrote to memory of 592	900	mscorsvw.exe	52
PID 900 wrote to memory of 592	900	mscorsvw.exe	52
PID 900 wrote to memory of 592	900	mscorsvw.exe	52
PID 900 wrote to memory of 592	900	mscorsvw.exe	52
PID 900 wrote to memory of 2892	900	mscorsvw.exe	53
PID 900 wrote to memory of 2892	900	mscorsvw.exe	53
PID 900 wrote to memory of 2892	900	mscorsvw.exe	53
PID 900 wrote to memory of 2892	900	mscorsvw.exe	53
PID 900 wrote to memory of 2676	900	mscorsvw.exe	54
PID 900 wrote to memory of 2676	900	mscorsvw.exe	54
PID 900 wrote to memory of 2676	900	mscorsvw.exe	54
PID 900 wrote to memory of 2676	900	mscorsvw.exe	54
PID 900 wrote to memory of 2512	900	mscorsvw.exe	55
PID 900 wrote to memory of 2512	900	mscorsvw.exe	55
PID 900 wrote to memory of 2512	900	mscorsvw.exe	55
PID 900 wrote to memory of 2512	900	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe
"C:\Users\Admin\AppData\Local\Temp\b374591609612484cb97511806632b000fabb62f5ef8bccdebfcfc2e26627cce.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d0 -NGENProcess 254 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 240 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 260 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 254 -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 24c -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1ec -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1ec -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1ec -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 240 -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1a8 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1a8 -NGENProcess 240 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 244 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1a8 -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 1d4 -NGENProcess 27c -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d4 -NGENProcess 1a8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 280 -NGENProcess 27c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 1a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1900

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1888

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2900

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
860c2a9d8fc7fcd2ea2589e2d1273d25

SHA1
fdbda3fd7d6eda03f39c90199fac987435f3469c

SHA256
7ca1f5888c2e707a75655e0488c3ce9e3aaa20f2e210d4b42f70a113c1809816

SHA512
61e54ef7d71f7b5c50f6f9be7e3c57c535869dd4572b7cd44b52106206a1685c612c2a00287934db4254d27b54f5ce0129f85150b373360f3e9e4ea69a0548f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
5.5MB

MD5
d4b3c81a42ed5626f3980a6edb37bf41

SHA1
06c3eb4e669e0924d6b37f2acd7f3efb9e4b92bb

SHA256
3fee0367ae82109ab8850efcfbe23e5629ba7cce5e913778cff7eaf15b6d2387

SHA512
704978ecfa03828c1bf57cc95939ce6affea6e61a45a5a872e8c00f9f1e5cb2e0f3fbb25425112d02b7c36469ddb4b0d22e2a4920cf1cb60d706c4fc41e5da78

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
726811375a05f654dd567e41ee0b06b2

SHA1
4d3dcbfca3dcc32ec02dc27e500ce72d5fe9fed3

SHA256
277b149e46a177e09d826985be21bdcb9de3676dbd3de14189a22e22f9ca4225

SHA512
ea127187345aea6e71daa01ed6f49b19e5f7ac3c92d2539fd2804f8b14fac29fe293ebf1f192a17196ced45f890637818076d432f68928c3280efe1190018b38

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
358438b946583940a6e175da79b93d11

SHA1
975e6033d14cee6c7fc2a4b93ff2c50d82c72048

SHA256
a4a2a7c4014dce3fe29746fbb6c468901c47c8595ec19618cc0384908cd5d272

SHA512
c609d1ffb3967cf6c3997b9c3a19b2d0a65ae5c7c3808316efaac0382c671ed8b3a15a891844488efeb529ed27781f5daa8c24697d0337ad4a961bf0c4623e7d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
77a182bf992c7eb5e94011ace2c4f553

SHA1
3da67cf869c7eb4db913b36aa0dc76214f5eff05

SHA256
153e269dcd1de509771a3a03877551d6b2f87ba9dc3293df040bd4709f5a2830

SHA512
436a87df9c2a9860d7dceab6e08c59816e48289c893813e8edff862bc07f55acc11a7409249d7ece10804db833f7e32c4b094c2de0931ba3958098dbbe4068c7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
5e11a96f9bb0ffd0ddbf0629c181363b

SHA1
37fa2bd060980036c00588318cdda95507ffcfb2

SHA256
96d42a4f053be31ae67c8e677a5995f0c95f503ddd2804bb94a0610830f5f0d2

SHA512
337393814ce7fac90cbb6733437d5eaf3301bb79b37912db0a9a21581335be4d1317d57a0464bffc5982ac023edacd053698af9e8250c61cd4872eaeae19be44

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d6c03439571ed108d55115d79691307d

SHA1
e725991674bff64a3f1819533e35de92446f52df

SHA256
1fcbfee52d6584de5e75107eb143fcc5207531c55d2668ac780698e47d051dcb

SHA512
a17975e19b728d6eeafc088cf114127bbf647adee0e6f2e316d45a593de4c61e0a66e9ea552b9ee9c0eee67d6c51f8bed6d79fd017ff36151a9a0ed58501633c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
e2ffa89737c7c208f82376171ee3c3a3

SHA1
b29f939747f3deea816969bb1420b55937123273

SHA256
95681463ecd8843ebe036c372555a840a1d6204bbdd0554737b5fd3b0954151a

SHA512
4533f3fd14846cba105da62eed53be53a0762651992c3a014913ffd37920365d1cd895fe094898ffcf0e4ae8f28e2f8d8bdee58623fc3d2851e476aa65cd3f4b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
44f0739fd70ad015ef2c37519fdae65d

SHA1
fbcb2e87a740919c53e3622009e5be4dbc748b08

SHA256
64bd7ad85a86b2269c77a061f279a2681cb166460c6cea7d8bb149fee0a63cfd

SHA512
5a7d92d24aa4d01def0d7ca61c6d5160aa3522fc497d880f69267a66fe6100c7889bd98aaa8dc843ec05e7d03d2467b9d2755b99f33d700fa44433b15b74c091

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
22b7eb515b3e020f85458de4e61b85ab

SHA1
fb1f304f0bc0664ec989de7655c1cb54134084c6

SHA256
0dbebcbcc961ac398127b57ac8e5c32f1cf973c043137e568a473fe7c781b72d

SHA512
22eadf1b595717cfdee96e2784edcfe6838c12ef5e322d527525aa5501b5bade0ecb14f91703f161076ec5a333c525b0baf298b69b9d226c1a5ca525d3e65f71

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
6f9b9075e65ebeffd0c49b64250fd64f

SHA1
551d21ddfb3db1991a90a500399e87cda5bf7544

SHA256
503b8e8c9407a11b0fb75f37da99df7257fe5bc1f6ecb44869d995f32cdc0963

SHA512
47ebf2db1e5e679be2bf61e2fdfbad2be813f32a2b6c2d419cdc8aa5b76a7c89971195fc9fe5adbf95c83758daf8c71eb7dcd6c07ab6fc064b8fa0bc4f9cb32d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
4b25751dca8ce71dde724eaa6f106ddc

SHA1
6b747aefcab94571d279cd3e0d1ec91d789a5000

SHA256
e5e4b4661da7b56cc097486fadbefc047181c5bb3dca89d41379e329c071ecfd

SHA512
835a34b9ad884f9f04d55445b9f336b8094a02be2f11e4e14e44bd16292aac8728655ab5d7ff9c28f5e48a8a1bbbdceeae803c405cfef670b40d633b5a08f795

Download Submit
C:\Windows\system32\dllhost.exe

Filesize
1.2MB

MD5
d803710736e2b95f096122d4dcb389e9

SHA1
6a64b8ee7fea98bf3e8acee88b4419ace3812cc6

SHA256
66b2a396096341f5d7d6ce7a406e089ffaea494d22babb08de37ae100bfe748b

SHA512
6661d37e946a86647ea4c831229ce6640e5e1c1778cf7ab61e00597a8f8d6f75fe61549e74d00ac7718c9e7232ab49551072cf8506b2f38d1af44cbf8dcc56a8

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
4da2f8a3806ba7bcad7efdcfbcd69400

SHA1
ebd07f1ce4f440f2177ec0b9af375413f454b0b3

SHA256
e1fdf7f3fdd44c857b6da4411e397ac1f13cca90b3c6047be1f6f2fe12ce8774

SHA512
f68be1924b9b085f800e9479b609ae60d500bb7208b3399eba8e7c29250e529e4b5d7ad329904a5e3778cff037af6ca6b8caf733189c3bfa154a506005697294

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
41637f1fc837136f82f7129aacb94e85

SHA1
4753cec1397f42b5a659f1d56b1d633b8cef759c

SHA256
ea3681401b900925e10b9a591beec85c1e37d439f102dcbe066f385966d82ec2

SHA512
4df5333992889deb2320f1ece9aaa2653cf06d77f42a747aa63101a98b1dd1e91acaf3e960c7b2dbce8525e15fd753787e396c94a41d7cd58c7fa7b68a088b63

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
84ab8e996430d71f8e536236218c2761

SHA1
ec28d508fc378e1c46f322fe2bd55c33601d2af9

SHA256
6b3d58f67e4b79703e4b089eca2628f5db15e33ba5ecc1c6a57bfd9d84bb1ce0

SHA512
3604bfcc4f9a07e70407ad75375fbe6ee3debae8ba80ce3113d3ff37a1062cfa1b64df5cabb5fcde53281e99d0e2ae80e73594e962db34584b22fc3b50f15435

Download Submit
memory/584-103-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/584-97-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/584-96-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/584-256-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/692-568-0x0000000000740000-0x00000000007A6000-memory.dmp

Filesize
408KB

Download
memory/844-113-0x0000000000430000-0x0000000000496000-memory.dmp

Filesize
408KB

Download
memory/844-142-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/844-108-0x0000000000430000-0x0000000000496000-memory.dmp

Filesize
408KB

Download
memory/844-107-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/900-144-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/900-145-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/900-150-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/900-285-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1148-461-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/1148-456-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1148-446-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/1148-433-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/1148-334-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1280-162-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1280-170-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1280-305-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1280-163-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1492-495-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/1492-559-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/1492-518-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1492-481-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1636-322-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1636-410-0x00000000744B8000-0x00000000744CD000-memory.dmp

Filesize
84KB

Download
memory/1636-311-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1636-319-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1636-468-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1636-516-0x00000000744B8000-0x00000000744CD000-memory.dmp

Filesize
84KB

Download
memory/1792-532-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/1792-519-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/1792-528-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/1792-514-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/1792-529-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1888-273-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1888-268-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1888-333-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1900-317-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1900-262-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1900-253-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1900-254-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2168-470-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2168-460-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2168-474-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-462-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/2404-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2404-6-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2404-1-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2404-67-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2404-248-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2432-458-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2432-297-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2432-306-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2484-554-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2484-553-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/2484-550-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/2484-541-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/2484-530-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/2536-124-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2536-123-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2536-131-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2536-160-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2592-29-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2592-38-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2592-32-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2592-82-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2768-551-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2768-556-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/2768-569-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2900-287-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2900-279-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2900-295-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2900-293-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download