cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 14:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
Size

1.8MB
MD5

86aa346a714c7d9e84faca3b91544829
SHA1

0a8f26d1f21462c56cd7479c8c901cd6eaf82ce4
SHA256

cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14
SHA512

ea7d8fcf6fe8232141884477006329bc38719503bd475b6494a41441614eae741d293794a8746d2b9d27b771608ba29a4ac047a1acb3cb417a093fe669cd99dd
SSDEEP

49152:TM9QPdxwfE7WlFwKAfzuTiDFUFkWnQ2t5BWR:T1PdVQFwKZCFgn/W

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
472	Process not Found
2512	alg.exe
2056	aspnet_state.exe
1004	mscorsvw.exe
2868	mscorsvw.exe
1376	mscorsvw.exe
2708	mscorsvw.exe
1760	ehRecvr.exe
1720	ehsched.exe
2160	mscorsvw.exe
3064	dllhost.exe
2576	elevation_service.exe
1432	GROOVE.EXE
2724	maintenanceservice.exe
2644	OSE.EXE
2260	mscorsvw.exe
2128	OSPPSVC.EXE
2724	mscorsvw.exe
2192	mscorsvw.exe
1656	mscorsvw.exe
2692	mscorsvw.exe
2408	mscorsvw.exe
1404	mscorsvw.exe
2712	mscorsvw.exe
1824	mscorsvw.exe
1340	mscorsvw.exe
1788	mscorsvw.exe
836	mscorsvw.exe
2560	mscorsvw.exe
2740	mscorsvw.exe
2280	mscorsvw.exe
2132	mscorsvw.exe
308	mscorsvw.exe
2300	mscorsvw.exe
1264	mscorsvw.exe
1996	mscorsvw.exe
2724	mscorsvw.exe
108	mscorsvw.exe
524	mscorsvw.exe
2648	mscorsvw.exe
616	mscorsvw.exe
1076	mscorsvw.exe
2956	mscorsvw.exe
2452	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7f85ab8eae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\psuser_64.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_en-GB.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_fr.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_ar.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_bn.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_hu.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_pl.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_ml.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_ur.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_lv.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_sr.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\GoogleUpdateCore.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_gu.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6ED9.tmp\goopdateres_bg.dll	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BB8A1DC3-1EAC-4DEF-86DE-56C4F7D88B06}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BB8A1DC3-1EAC-4DEF-86DE-56C4F7D88B06}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1716	ehRec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1540	cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: 33	2536	EhTray.exe
Token: SeIncBasePriorityPrivilege	2536	EhTray.exe
Token: SeDebugPrivilege	1716	ehRec.exe
Token: 33	2536	EhTray.exe
Token: SeIncBasePriorityPrivilege	2536	EhTray.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeDebugPrivilege	2512	alg.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeDebugPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	1376	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe
Token: SeShutdownPrivilege	2708	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2536	EhTray.exe
2536	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2536	EhTray.exe
2536	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2160	2708	mscorsvw.exe	36
PID 2708 wrote to memory of 2160	2708	mscorsvw.exe	36
PID 2708 wrote to memory of 2160	2708	mscorsvw.exe	36
PID 2708 wrote to memory of 2260	2708	mscorsvw.exe	46
PID 2708 wrote to memory of 2260	2708	mscorsvw.exe	46
PID 2708 wrote to memory of 2260	2708	mscorsvw.exe	46
PID 1376 wrote to memory of 2724	1376	mscorsvw.exe	48
PID 1376 wrote to memory of 2724	1376	mscorsvw.exe	48
PID 1376 wrote to memory of 2724	1376	mscorsvw.exe	48
PID 1376 wrote to memory of 2724	1376	mscorsvw.exe	48
PID 1376 wrote to memory of 2192	1376	mscorsvw.exe	49
PID 1376 wrote to memory of 2192	1376	mscorsvw.exe	49
PID 1376 wrote to memory of 2192	1376	mscorsvw.exe	49
PID 1376 wrote to memory of 2192	1376	mscorsvw.exe	49
PID 1376 wrote to memory of 1656	1376	mscorsvw.exe	50
PID 1376 wrote to memory of 1656	1376	mscorsvw.exe	50
PID 1376 wrote to memory of 1656	1376	mscorsvw.exe	50
PID 1376 wrote to memory of 1656	1376	mscorsvw.exe	50
PID 1376 wrote to memory of 2692	1376	mscorsvw.exe	51
PID 1376 wrote to memory of 2692	1376	mscorsvw.exe	51
PID 1376 wrote to memory of 2692	1376	mscorsvw.exe	51
PID 1376 wrote to memory of 2692	1376	mscorsvw.exe	51
PID 1376 wrote to memory of 2408	1376	mscorsvw.exe	52
PID 1376 wrote to memory of 2408	1376	mscorsvw.exe	52
PID 1376 wrote to memory of 2408	1376	mscorsvw.exe	52
PID 1376 wrote to memory of 2408	1376	mscorsvw.exe	52
PID 1376 wrote to memory of 1404	1376	mscorsvw.exe	53
PID 1376 wrote to memory of 1404	1376	mscorsvw.exe	53
PID 1376 wrote to memory of 1404	1376	mscorsvw.exe	53
PID 1376 wrote to memory of 1404	1376	mscorsvw.exe	53
PID 1376 wrote to memory of 2712	1376	mscorsvw.exe	54
PID 1376 wrote to memory of 2712	1376	mscorsvw.exe	54
PID 1376 wrote to memory of 2712	1376	mscorsvw.exe	54
PID 1376 wrote to memory of 2712	1376	mscorsvw.exe	54
PID 1376 wrote to memory of 1824	1376	mscorsvw.exe	55
PID 1376 wrote to memory of 1824	1376	mscorsvw.exe	55
PID 1376 wrote to memory of 1824	1376	mscorsvw.exe	55
PID 1376 wrote to memory of 1824	1376	mscorsvw.exe	55
PID 1376 wrote to memory of 1340	1376	mscorsvw.exe	56
PID 1376 wrote to memory of 1340	1376	mscorsvw.exe	56
PID 1376 wrote to memory of 1340	1376	mscorsvw.exe	56
PID 1376 wrote to memory of 1340	1376	mscorsvw.exe	56
PID 1376 wrote to memory of 1788	1376	mscorsvw.exe	57
PID 1376 wrote to memory of 1788	1376	mscorsvw.exe	57
PID 1376 wrote to memory of 1788	1376	mscorsvw.exe	57
PID 1376 wrote to memory of 1788	1376	mscorsvw.exe	57
PID 1376 wrote to memory of 836	1376	mscorsvw.exe	58
PID 1376 wrote to memory of 836	1376	mscorsvw.exe	58
PID 1376 wrote to memory of 836	1376	mscorsvw.exe	58
PID 1376 wrote to memory of 836	1376	mscorsvw.exe	58
PID 1376 wrote to memory of 2560	1376	mscorsvw.exe	59
PID 1376 wrote to memory of 2560	1376	mscorsvw.exe	59
PID 1376 wrote to memory of 2560	1376	mscorsvw.exe	59
PID 1376 wrote to memory of 2560	1376	mscorsvw.exe	59
PID 1376 wrote to memory of 2740	1376	mscorsvw.exe	60
PID 1376 wrote to memory of 2740	1376	mscorsvw.exe	60
PID 1376 wrote to memory of 2740	1376	mscorsvw.exe	60
PID 1376 wrote to memory of 2740	1376	mscorsvw.exe	60
PID 1376 wrote to memory of 2280	1376	mscorsvw.exe	61
PID 1376 wrote to memory of 2280	1376	mscorsvw.exe	61
PID 1376 wrote to memory of 2280	1376	mscorsvw.exe	61
PID 1376 wrote to memory of 2280	1376	mscorsvw.exe	61
PID 1376 wrote to memory of 2132	1376	mscorsvw.exe	62
PID 1376 wrote to memory of 2132	1376	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe
"C:\Users\Admin\AppData\Local\Temp\cc0615652f7161c5e078fb07d2d485b4a3b3fecd8f28c39286a66f9272fdae14.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1e4 -NGENProcess 1e8 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e4 -NGENProcess 1e8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 264 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 26c -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 26c -NGENProcess 200 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 274 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 200 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 284 -NGENProcess 200 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 28c -NGENProcess 25c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 244 -NGENProcess 278 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 1e4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 29c -NGENProcess 1e4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 290 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 274 -NGENProcess 27c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2ac -NGENProcess 2b8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 2ac -NGENProcess 244 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 210 -NGENProcess 1b0 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 258 -NGENProcess 238 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 230 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1760

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3064

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1432

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2644

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
52cb97f8518354201c452db4c13c4e54

SHA1
21a1587b7241a9515f6240c057ad282f36557099

SHA256
4164bf9a7fb719479cd11bec6eeb87fd4d4d10abca083dbeff6b954b658eb5f5

SHA512
41f905b7a073f970aefcda65cb0216dd9964eb1811f69df2f41dc54e90e2f4ee86e7d55b0eb73f56ad623061c32f99dd6d86b24ab5bd235c16c7c8e209105fa0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
0bda0f7c8ec5aa8fd3ee999ba30ddc0b

SHA1
84d078b3bd661a28f994168a049428211750acdf

SHA256
e7ad8344ebd20f02a9f139544b777fce82336c9d75f486d6844a1b4668ee2d29

SHA512
8227a8f2afcbd5c6438695340dc47e9ee09817d1f4dab11793680324116bb499af81da46427a9610b4b129fec9f4a52f96b3be13788d38fe51d57c1e50bf4b48

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
b96dd8e675ef48226846cb9053b5166d

SHA1
450f7475c766916d0276d852e65107b32ef34cdb

SHA256
52e7ffa925919dccf225d93d43e7b37470bb7693a87d60d2aae6ece9544505f5

SHA512
a775fce71ae2ab7b8ec1275c7e9f5b5293aa6b8e45df8089b0d49212bf43da0384968fa4ffef3a9fe57edc9e4b6a459338c60217c67ad87b44c231b2d272cc45

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
30fbcf52c19b9c6b148d98197e5a2fea

SHA1
faf217bd9b809714f0840215939f0653cd0ea310

SHA256
72b14c05a5b50d5611c57d34e6aef42418d3a88833ba737097e6ba300a5c7e05

SHA512
4ef072963e5abb0c7cf57a07952589f51137e4ea4a65b7127dc78000af7eac3b2164854ac755fb76a2d36074f7260e142bbbd7ce66222e5cfbb92dbcd286b2d0

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
6ff84c1a60b0059b8ce4384b52e7b397

SHA1
daa5e53dd9618aea925cd305b4cfafa7e2b84488

SHA256
3197a76c92304173c478eac3c71f5a7f1cf58aa7e4cb28c14f0786bcc5f02165

SHA512
a6e04c1029871eb87ceb46cae925cdbdb84ec5e9649d3fc859923c28f9c5cb78ae12e107b184a40fa59d58c97de8b5f4927d196b4e9f2359cd17f55c75facb0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.5MB

MD5
e652691c56cfdd47e1c0c735aed724ee

SHA1
254c9a1bc9629b3246c169f1b71217a7c5d44842

SHA256
3899214535baf57796f776ecf4f6c86b9140cc2a56f2aa618030432a78975c58

SHA512
570e848142685f19f4ba20592b51c25f7991165b04bcf17db7bf1b20110351d8082e6d020aca62e52ed6059290d3c21ca5e574f8036dd9ea966dca3796ff551e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
0645e0338c69fd06e13c00982acb3993

SHA1
29af47ba92af4c41f6d018e7e4cf5ca101c79432

SHA256
8df9304b83c27167cb8272cc28b0b7d9108ac646aaa00fee722ffee69ee0332d

SHA512
d71e795b99e34926056d789c65d0edfc0fc8537d67f815a9a54f737d5e519a7ba6ced63270270298e141cf3919adc5026bf1007e173a605d330fc1b4160abe11

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8e1beec253afee1f619c0c7aa31c85d8

SHA1
1ba748aad5b41c517149543feb661940366d9bf8

SHA256
0a59feca330844c895e28aa5aa20c1e42ce1aebfcc61760e9e1e7dcba6014608

SHA512
bd97ec9aaf6681e247ed55a8b0d9dd37b7f3abf12a87934da87bb6287ded6dad33a2c22132ef5de1e1509e7ba14a1f9a9df348af56070faee5d2b7db0abbf61e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ba4f497ef96679cd830cf8cbc7bf7682

SHA1
a3d16e3eebb363a31e758dcb702a07dfd1c9965e

SHA256
f76d1e0a0d46b7804088b50ceedef42291aa3ccd7af93a88a5dc105d35a1a67e

SHA512
5cd54aaa2b4f611888c60915c8d39ac22d43d01c4390cd15241b03d5bc80145b78be92d792542bd79de6a02ea4c54c4aaed30ce76e55d8913b151e4ef1db7b74

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
824KB

MD5
89157cc1f28d9d684451755901401097

SHA1
3654e855d7d702efe0d786ba944cb950cf1de2e0

SHA256
f9bb04ed819639c1232155cad2984f84271c65c2e3b929e49a931086bf353612

SHA512
0af640078a530db94e62f786788b0ca26a55fee696c026fe85029cd73a97cef49daac3aad0b30bbbc336510f2a738b767bab9287a47bd5471dfd0ac5717ea334

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f29f70d11ac41a5780513ffc5153e7c0

SHA1
1fe5d6a9a3b387da3c3dc28d400f53dd4341c5c2

SHA256
481ea1618fa123c097bcee7ea362c0e8ff4754e467b0b718f7a328e28cb2c0de

SHA512
f1da14a84fa73dc320428877fa5c2ebe1391cda6aa9823083736e94e3365e383ae9314757f8d17d2344d47d0798b6d252141c4f1127084a94d2a4a5decd46ef4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
192KB

MD5
d9c014767e84e27ccc2219e15d249643

SHA1
84cdd2317429fdb543015ca6c5e1137bc0657de7

SHA256
0ced3e5fa74f6f8be14788ed013201088e9258bcfd2b90cda4613279671440ba

SHA512
bd5fae4aada373c3bf78a11a8268559b2beeaeffbbbe2e4935445eafe764fc270992b1b56eeeb4eab70eb60d47e3a3d4b1e634bbae34531f9875851e8e199290

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
903KB

MD5
b95126b5f7366b0390603310814889b7

SHA1
4bd08c9daa55dfb670364a52417e64b288f7ced3

SHA256
6a035b66ac4556473bbe6b1b6a5c28f47f463a53bbde16286186edec5f1dbf58

SHA512
f6a9390a8cb6703ca510dfbc7a2c0b95bc8810c0afbe2110de1189659ae754fbc71a5d838022ad973967c65f338d54a881587ebc0cd754c142fee0c5103bf74b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
496KB

MD5
1be58304876b3a20c71a48fe87845ff5

SHA1
5a1108c593e3ffb92e6ce00fe7910ca46cc1b4b4

SHA256
78457deed9ddf05ea65d366e2aebdfc69198b1981e74327dddfe0eabd7390c61

SHA512
83d6fd952133270b81519b1f7c1f17fc73da41e1a5eaf71d1c377e802fec5ca3d6da6f3b91a53c1ed1454b8158ce520f0380d69a9acb9643b57fe668d0708473

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
589KB

MD5
556e77ac106df12cda76e23eda8c179d

SHA1
6b82a950b2bce0f93cecd58aba24ff808295828b

SHA256
3e1bf1c7524b9804a5b3b0b0ea9939f131536a02415684e54c1e64b51f2040dc

SHA512
ccec906328011607a713d1721379f2ef4195bfc82f1a7efdad61d1a5f86daf955d7eac4d1644be254ce4e196a00faac5790694571bdf1116b20023f7e1c1194b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
25KB

MD5
9af2ac9bf6ad087a3358fc52db9565c8

SHA1
249f7f5d52a14d7f0bc37795421353a5657f1e2b

SHA256
8b9fb10e3e38316ba5e56a9d7584b1fc1d6380fe7a579e34461187de1b9f0082

SHA512
1b754e16f65551b1d689f6a6d354ada06854c3354bbbac617275b347f4eef01b971ad4adc3c1997c9b3209eb64ced0cf6124868cc2579395b4a92a625f06d5e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
70be0dc5aa64e4e65319d1188e295841

SHA1
bcb8261235d25635f651e6070defe84572a7b27c

SHA256
2cbe7a2e39d1d632438baf625df5930d49552dcf934d5ce4bfd7009ea644dc78

SHA512
95f8b86bab17d52d18574a5364af154e361226bddb1dbf2bc6983fb1b03fe9d8f6048fcf8f86c263f8addecb835eb816703b399c962e68f51a0bfbc55c15a574

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
f261081d0122081f26b560be64399fd3

SHA1
fc555e0aa3c00fe46390d3d8ccf00a29c96fba23

SHA256
52e61ac84573703249c214560eee4c214b552474b5a28cf3dba16bd365a88289

SHA512
82eaf8ba86a8efd7beba680f57970abf9ea94b3e61b736f0a929b2eceb56bbd56bf6f809a78fad46c52fe8c906ae3eb4fde67b2b537d5b8044d35e07977b3caa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
4dda092a0c6a8fe1c808cd10aa6bbbe0

SHA1
1fe400709be0194f66fc11aeb50e9ce9399a7f28

SHA256
6ee7a71a93d622194754656773dee0dff8a8d547f0faf7633d3855f57f9ca0c4

SHA512
386c2b9696e6e8b8514d83de5ded73e4a0a82dc068cfdc7df3b6997220493ffcdd2ab3fce55c42b6523fdc6e14dbc850d1ff131642f97422ba1a69c6efd8bef0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
2ad78ca08ecfb316b1eb992eb1cc55f8

SHA1
213abeafb177d1971e25a43272943696d310a34c

SHA256
eacefcb776411918b59f3d7f75a61a0c381a889edc2eb8cc49e6ab19dbb0a247

SHA512
00f791a2656f6f98500b68f015046b3f6e714c018e0a67e5b0c0a9a590e411776de57c36b9af74bdf216fd3af16a5a6ec08fd395efb7fe9a41eb3e17857374e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
284ab5632cb6d7042ec3385a8dff3d8f

SHA1
1d3e0bfe702dcc2bee3194d0b734d2387c5dfab9

SHA256
3683943a2fe444979656cf580a9e44c12b60ab11b01dc791ccd24baece8dae61

SHA512
f7aef429e581d0125c898605315b4a940c962664b8bc4afdfe38541b8e025179af8808627e8bc2fe4e9ea5eeebd9148d78c5e35eefdfc018b84b02df8b3f24bf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
00d1713311b658359fc17184e54c4c1a

SHA1
9037d1160340cdbe0dea20b4d048f860a5d41c2f

SHA256
79c9dcddab22e13bf15a7ed56da5a45fbd1d1ad0b6e046791eb93859f7f91e44

SHA512
918ec62857dbb4b541d6202eef0b159543f862bbfe2e02937ba7bfd5f7f384f86e38290cf64679b76863330622ac1468c983c6cad810e0c1f948ceea28ce3932

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
b61aae23bdd9275a9619f1f0a97a2be1

SHA1
b91113eb0516e948b8c1cf6f7a0a8ef9628959d5

SHA256
bfe8c59bd2534227c170e7b9dabb4538fa2c20c446ccda83008b883e817fe690

SHA512
53d886c512cb787576d4cbd9842e1a49de6601c705be6c19f9a3d54491ebd3455e0fe1c9106599faedaaf2f7d2896bf6e9d5baa35558efbc719cb8c60c375565

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
87KB

MD5
dcba10d0975df3ea12a0991004cef29e

SHA1
95197b4518e3f7060f78b8c5342c7c9b6e02984b

SHA256
24ce7b7adb538ba84a0a4d223737f2afe563fccc61abbc432dfc1d2652bdbd5f

SHA512
105c0fc9bdf2342ac175f2f945881849434353963aaa07fa0f4390e7d5ae3181fbc2c5943e1f99aa551801bbd6a93771d8802d2d79d384be24ec9ba2f110242e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
77518badce0b2fdbc566862bc6a09e7c

SHA1
ca5965a66d782d72b583220ff83b893f450ac5aa

SHA256
7aa93714b6439d46c72acec09b1606044237c6bb25269935e83a595cb4cfb741

SHA512
668e01eab194ad6bab1df5f38f6f9cb97ea006cd311ed608d33625e2e204bd1c85b0353cab3862db3680229ee996dc40b9bdcfd302c4c9ce094179eda98833bb

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
3dbb018df221764d83e0af8aabae20c3

SHA1
b5fd6c513ebd2e2105ee25061b032b30603d00bf

SHA256
891959068ec3aec5d0db5cd696835d68d4100850a637efe2e2ece0986e040dd2

SHA512
808aa5a98f2c9422e4963544266eacf0d6db14f6aec836c0dab228bd12d2717f310d8ab134dd9d988460db86ccb5121eb7df05bf455279fa400b1f4cf6e8d896

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
896KB

MD5
e64c2824de706e0618b47fe2cc005748

SHA1
46dd136a04f46fdfa13838cb8840581facaf4459

SHA256
b35702df5ace68732dd03d7e2738bb9335d51979841e05cdfc383c0434a2a51e

SHA512
ce4d98406242334c53d4622c068ba0b747de42543cc17d9e8c128dba4a3483a24ad3f6bf391b5eedc747e741b38a4622ec4add7f2cebe760e4b384284aadb94a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d9dc999afec817a07f7541ac43933535

SHA1
997a2016d7e9fbad71a3134cef930b5c3bdf6c3e

SHA256
571ff907aa26296aed9a3f524da6e38949f8063310209a40d9eb74bb43582db1

SHA512
ca462215994c249d93912eb06d2d611a465b7face376a3bbca8325c0b7d67f815de2ad73717cc822b2c7136dcacf5e7ad370eb2a03494bd87d525b52da436f7d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
5ae05564a15fff2d0de5a3782338d348

SHA1
211d62a632113df1f8c677eb3d3dca2d09a227d6

SHA256
44e290e29c12f89996fc66e9ecf9d4d40e966e37944b4bba152d679cfdeb7089

SHA512
1a58d8b0ce9eda94d888430ac9858befece30a86ed310d770ceb738152333ce2125cbc9a8f8d991b13aa231c209de38cc9cdb194d2fbf1c61e8a6cfaadf35e41

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
02577910fcdea26c529baacc4b0ad7ef

SHA1
4786b1064d2ec8dd80f7426d8f55c11304957f6c

SHA256
24763c307e5722280cf5e2af1f17176e8ce61d5bf71df92db815b1e55f175fe8

SHA512
442be2d6f4e1f5750796c6d257889b7daf73ab89eb6b9bfa3ee96b331e8e0d94d629b39dad42cacd705d4d0a308b8bd6759127d85ba9031532b395351fa43b9d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1024KB

MD5
ef1997554d559adda9f2ddac6ef13c3c

SHA1
f65ba99760ad52b55b06d14242ae22b2debcf7c6

SHA256
27ae231bfdbaadd069a75d8fd9e047903aca720e2f4e4e5633501b7de44dfd0c

SHA512
b31effcf4dbb9fa819f213b82544964ac1947fc352ced8846ce03c0819733a1c8b786ceca12dddd966d48d816f3ab5d3bc714d8f6686f5c5de03383894d1f7fc

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
feb889f87cc71fa8d61eae9f01cc1612

SHA1
034c4f581cb84f2d1bab84c0633d6a25deba5e5b

SHA256
f8fcca2703cd22b0afe7ca709a1c9fe236962e4329de608434ad607221097913

SHA512
86148c96c35f86e1fb696a662575b4ddc094b1bfa472d592fac0b0ac3c5f60073aa4ba52bf2ac10b7e37f1784443702b7a6f76e6176eeaafb83a29c8cd88e845

Download Submit
memory/1004-104-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1004-124-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1004-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1004-98-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1376-131-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1376-125-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1376-123-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1376-270-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1432-324-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/1432-340-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1540-1-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1540-141-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1540-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1540-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1540-274-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1716-560-0x000007FEF31A0000-0x000007FEF3B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1716-319-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1716-384-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1716-559-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1716-556-0x000007FEF31A0000-0x000007FEF3B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1716-533-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1716-322-0x000007FEF31A0000-0x000007FEF3B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1716-317-0x000007FEF31A0000-0x000007FEF3B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1720-327-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1720-176-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1720-184-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1720-183-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/1720-178-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1760-170-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1760-288-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1760-276-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1760-463-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1760-185-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1760-163-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1760-258-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1760-162-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2056-175-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2056-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2128-368-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2128-432-0x00000000747A8000-0x00000000747BD000-memory.dmp

Filesize
84KB

Download
memory/2128-372-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2128-373-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2160-351-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2160-268-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2160-552-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-303-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-262-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2160-261-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2260-370-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2260-564-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2260-521-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-371-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2260-566-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-565-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2512-161-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2512-66-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2512-43-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2512-44-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2576-329-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2576-304-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2644-343-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2644-342-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2708-140-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2708-143-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2708-277-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2708-149-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2708-148-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2724-558-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2724-325-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2724-561-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2724-358-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2724-349-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2724-341-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2868-157-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2868-114-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3064-528-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/3064-290-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/3064-280-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download