d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
Size

1.8MB
MD5

86f48cc724ef992656757016eb60185e
SHA1

421c350843296d37b6b1866a38d8293d27d1c643
SHA256

d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184
SHA512

53789fd80cfdb236e18e23ca1496f75ba0ec18103643abaabf09ec19fa12917edbea83013790eadfc6aa70924350c82e50b89c7721b7845b1a4e2db7360c3bb7
SSDEEP

49152:6x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAVaB0zj0yjoB2:6vbjVkjjCAzJxB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 31 IoCs

pid	Process
476	Process not Found
2992	alg.exe
2660	aspnet_state.exe
2464	mscorsvw.exe
1628	mscorsvw.exe
2604	mscorsvw.exe
2936	mscorsvw.exe
2056	ehRecvr.exe
1056	ehsched.exe
2988	elevation_service.exe
2444	dllhost.exe
2728	GROOVE.EXE
2320	mscorsvw.exe
1900	maintenanceservice.exe
1472	OSE.EXE
2916	OSPPSVC.EXE
2164	mscorsvw.exe
2208	mscorsvw.exe
2244	mscorsvw.exe
1836	mscorsvw.exe
2996	mscorsvw.exe
2504	mscorsvw.exe
2068	mscorsvw.exe
764	mscorsvw.exe
2324	mscorsvw.exe
1196	mscorsvw.exe
1536	mscorsvw.exe
2664	mscorsvw.exe
1452	mscorsvw.exe
692	mscorsvw.exe
668	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1116523bfe435d8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\goopdateres_it.dll	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\goopdateres_am.dll	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\goopdateres_hi.dll	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\GoogleCrashHandler64.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\goopdateres_zh-TW.dll	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\goopdateres_lt.dll	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\goopdateres_ru.dll	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\psmachine_64.dll	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM16CB.tmp\goopdateres_hu.dll	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{EDC97444-7834-49BD-9DEF-D54AD5045A1C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{EDC97444-7834-49BD-9DEF-D54AD5045A1C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1524	ehRec.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2256	d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
Token: SeShutdownPrivilege	2604	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2604	mscorsvw.exe
Token: 33	1100	EhTray.exe
Token: SeIncBasePriorityPrivilege	1100	EhTray.exe
Token: SeDebugPrivilege	1524	ehRec.exe
Token: SeShutdownPrivilege	2604	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2604	mscorsvw.exe
Token: 33	1100	EhTray.exe
Token: SeIncBasePriorityPrivilege	1100	EhTray.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeDebugPrivilege	2992	alg.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeDebugPrivilege	2604	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe
Token: SeShutdownPrivilege	2936	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1100	EhTray.exe
1100	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1100	EhTray.exe
1100	EhTray.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2320	2936	mscorsvw.exe	41
PID 2936 wrote to memory of 2320	2936	mscorsvw.exe	41
PID 2936 wrote to memory of 2320	2936	mscorsvw.exe	41
PID 2936 wrote to memory of 2164	2936	mscorsvw.exe	45
PID 2936 wrote to memory of 2164	2936	mscorsvw.exe	45
PID 2936 wrote to memory of 2164	2936	mscorsvw.exe	45
PID 2604 wrote to memory of 2208	2604	mscorsvw.exe	46
PID 2604 wrote to memory of 2208	2604	mscorsvw.exe	46
PID 2604 wrote to memory of 2208	2604	mscorsvw.exe	46
PID 2604 wrote to memory of 2208	2604	mscorsvw.exe	46
PID 2604 wrote to memory of 2244	2604	mscorsvw.exe	47
PID 2604 wrote to memory of 2244	2604	mscorsvw.exe	47
PID 2604 wrote to memory of 2244	2604	mscorsvw.exe	47
PID 2604 wrote to memory of 2244	2604	mscorsvw.exe	47
PID 2604 wrote to memory of 1836	2604	mscorsvw.exe	50
PID 2604 wrote to memory of 1836	2604	mscorsvw.exe	50
PID 2604 wrote to memory of 1836	2604	mscorsvw.exe	50
PID 2604 wrote to memory of 1836	2604	mscorsvw.exe	50
PID 2604 wrote to memory of 2996	2604	mscorsvw.exe	51
PID 2604 wrote to memory of 2996	2604	mscorsvw.exe	51
PID 2604 wrote to memory of 2996	2604	mscorsvw.exe	51
PID 2604 wrote to memory of 2996	2604	mscorsvw.exe	51
PID 2604 wrote to memory of 2504	2604	mscorsvw.exe	52
PID 2604 wrote to memory of 2504	2604	mscorsvw.exe	52
PID 2604 wrote to memory of 2504	2604	mscorsvw.exe	52
PID 2604 wrote to memory of 2504	2604	mscorsvw.exe	52
PID 2604 wrote to memory of 2068	2604	mscorsvw.exe	53
PID 2604 wrote to memory of 2068	2604	mscorsvw.exe	53
PID 2604 wrote to memory of 2068	2604	mscorsvw.exe	53
PID 2604 wrote to memory of 2068	2604	mscorsvw.exe	53
PID 2604 wrote to memory of 764	2604	mscorsvw.exe	54
PID 2604 wrote to memory of 764	2604	mscorsvw.exe	54
PID 2604 wrote to memory of 764	2604	mscorsvw.exe	54
PID 2604 wrote to memory of 764	2604	mscorsvw.exe	54
PID 2604 wrote to memory of 2324	2604	mscorsvw.exe	55
PID 2604 wrote to memory of 2324	2604	mscorsvw.exe	55
PID 2604 wrote to memory of 2324	2604	mscorsvw.exe	55
PID 2604 wrote to memory of 2324	2604	mscorsvw.exe	55
PID 2604 wrote to memory of 1196	2604	mscorsvw.exe	56
PID 2604 wrote to memory of 1196	2604	mscorsvw.exe	56
PID 2604 wrote to memory of 1196	2604	mscorsvw.exe	56
PID 2604 wrote to memory of 1196	2604	mscorsvw.exe	56
PID 2604 wrote to memory of 1536	2604	mscorsvw.exe	57
PID 2604 wrote to memory of 1536	2604	mscorsvw.exe	57
PID 2604 wrote to memory of 1536	2604	mscorsvw.exe	57
PID 2604 wrote to memory of 1536	2604	mscorsvw.exe	57
PID 2604 wrote to memory of 2664	2604	mscorsvw.exe	58
PID 2604 wrote to memory of 2664	2604	mscorsvw.exe	58
PID 2604 wrote to memory of 2664	2604	mscorsvw.exe	58
PID 2604 wrote to memory of 2664	2604	mscorsvw.exe	58
PID 2604 wrote to memory of 1452	2604	mscorsvw.exe	59
PID 2604 wrote to memory of 1452	2604	mscorsvw.exe	59
PID 2604 wrote to memory of 1452	2604	mscorsvw.exe	59
PID 2604 wrote to memory of 1452	2604	mscorsvw.exe	59
PID 2604 wrote to memory of 692	2604	mscorsvw.exe	60
PID 2604 wrote to memory of 692	2604	mscorsvw.exe	60
PID 2604 wrote to memory of 692	2604	mscorsvw.exe	60
PID 2604 wrote to memory of 692	2604	mscorsvw.exe	60
PID 2604 wrote to memory of 668	2604	mscorsvw.exe	61
PID 2604 wrote to memory of 668	2604	mscorsvw.exe	61
PID 2604 wrote to memory of 668	2604	mscorsvw.exe	61
PID 2604 wrote to memory of 668	2604	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe
"C:\Users\Admin\AppData\Local\Temp\d120c02bc0fea47ed84758e7b07cedbc140d167da675c80fa603fe2be3981184.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 1a8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 258 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2e0 -NGENProcess 294 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 120 -NGENProcess 2f0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 280 -NGENProcess 2ec -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d0 -NGENProcess 120 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 300 -NGENProcess 2f0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2056

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2444

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1900

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1472

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
4d5e699ca39cfae199e9c65353a27a36

SHA1
49f857354df5066838e8b803e453267930bcf0a2

SHA256
86019ca1d45678a69409a60f1d0726a78676300f382cfffc0cf940e05b50a389

SHA512
2e180ad07b2b1e555f26b53bb05b255f6f85400549d6fefc59cabd315e6b261cbec98b8bc572fae20b82754611a337075e10d2b98cec20ed3bfcfbbc53c88b30

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
9f36e79436adbeddea6b743594468509

SHA1
21d459917a9c491850493a0187ffc4219eb19f28

SHA256
7a9f6f02f9d37d395c4b2f51edf295a48a20253ffb371bffab9e112c1f4550c9

SHA512
f3b3a53af67be1504db27b9ed7ed7c297f52f740548d4bf2b53a6cc3aa9f5c828a3c27b26ea34fe4b8734ac38d4f3aa451713ff73d3f483058fbf5394ec0fcc4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
ed27b024e015fa6864c979001af3ebc1

SHA1
fa1bcfbc3d157f6dc812df1501225061adc04537

SHA256
5c2fe87f9fb54465639593c7c6b333a40048d63419973d65ffbc9997e56c350a

SHA512
a78503faa4fd984e30bd64f5b27fd8abc0496769d99a16d0a7fcdb6d7f0318a8e2733bea36663b5bd487c669a2380165dcab31c316e72e6b2a41a26d8b719a39

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
d84c89b3310fb405b24e50806796ede9

SHA1
b2dd11bc3d84c3680a966a721bb3b564098623d7

SHA256
5721a2d2091bee1c99f985e02306c4e5f46742d490c859c8555c0c685378ebd8

SHA512
86edfdea9aabc64914e8be580eae360b12a87625be54158c656ffa55de188a419cdeaf8c22559850c42ce0b89ad194678bec89d7bd8fa8a0f8085e6738c567f8

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
4459590f67fcbe8d192b6cd08bf57587

SHA1
47c98b1cadfabdacb503717b375afe560ab35b35

SHA256
7019f871152c8f7758d05c576bf1f3906ed92b8621056dd509a4aa90d4b78f6c

SHA512
c58dd7ff4739b4fd7b3c41ab3b4b820d8ebbd156aef8e6c95485c7f8bd7d1ced5c981dfd0f709ead2ecc7ad5b5f048d6bb9e20b23c0b89a4b9605f8f7b5611bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
288945305ae2c2ae95a96a6ec256b0b5

SHA1
85c38af434a7007f9e43d87d32e71bd7bda231f6

SHA256
24257e1f825fef431e7c4820cfbe734f9fb6f38474993366eac8431bcbdf8b42

SHA512
f2f11f97e54b4bd2ad6a15b584a6b272b21340b8158ef813164ec750d5be5190dbdecc01be12c8e6dff161d7c9b712fd3cc104f279e06c4ef02af36afac3a06a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
665edb0dfb41e01e983c9d262a89ffb0

SHA1
914702ea14b80eb069caa01112ce63582ad8127a

SHA256
9175bcdd97a7838e5845947a73e255ac9b0bfb55c4b60706825de24f7705a9a1

SHA512
54325c286e39c38865d6c698c90853de78c1e4963760a213c89d2b6c6a1df3b686c50faa009cb7ace2c03f4093a3fa2689d35637c144acffd6a01782b8aa2ea8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a8ed9fa600859a2251da277efb7c4b13

SHA1
adee260c968d2dcd1054598bb1f8d62369fd80a0

SHA256
7a7e2de1eb0d95fd2895b51813fea3fe2a947b2e6d03328bdd6453bf5c28e979

SHA512
3c5fcaafe88432b694ca27b51e41e4d2da34b32dffb20a392d3f7553820a5929691173f7859e88cb665ae54725ee2bf156718d9e8a88eab1542f53db180ddacd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a904688705f2f03521f98b05f2283da7

SHA1
cd480992ce1fd8d50c03ce22334fdb604bcf98aa

SHA256
c0ff97b218d4586f4adabd94ceffd93391a47f57fa0e6d7d21f99064acd99987

SHA512
8529cce4c4c127a0bf2a3cea6fb34c402a5282ed9bb2e4d4fef5b0c15fecf29cde719d37d61569889dd37b10988aaff28b6a5e4f20c6098fefea66a964b0a851

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8bae6554743146aac1701f719d377f1a

SHA1
024fceeea77a92c9b0de28661d356c8ddc3c09e4

SHA256
b8f1b18c4302fc2bd331e5c76825bb48e9102c33d3bc7249cf9e75c79bee9d69

SHA512
088d3ea14e601b25282b6c29e474448965e278fc9501d7f71ed06fb9c4f274aa6b060b04c4a6315b6f56fceb1efbc6b846a70347f2e969ac0ecbd589e1eae306

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
e61cbab0eba4cacf2de344cfcd62266e

SHA1
d6de1668384327e89130c34cd9dc1ae354dac339

SHA256
5ae11fa62d027768563650dbb74ba07184918f606a92b6f9f9276183d938e97b

SHA512
adbb1481077aa1f8e406c49bed0faba07735762938cf9a647e05ee804e08cb249163cd028c0104413df8115017d8f4fe68e50d0a6565945907cda459b207c2bb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
8533223ffd9ddbd2b4b89d01faced2f8

SHA1
80e369ce572b8a235e60cbe3c4d40ed466be8a7e

SHA256
c5cb1b4514f81f6ef8044a3b402dc290221c26b04b5bbb54b199739376556dc8

SHA512
c47c92c9c0e73f449273976cce04f8e071562fda630ef52c38dc4bb4ed28e419ee22e0e6a165594d40ab39d2bc600eddc97d96b9bd8b6cd5a22abb9f0c511c8c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
44345111dc1d86f9b840d824efb6e50e

SHA1
1642a81568ae55e8d932181199d9a844286e9486

SHA256
8acebd2c34ec2b4c5b57796a92958f3980a162a039fc830c8190359f23ade955

SHA512
0d393279620811186ee0e73d21f17003499fedf44e0e7569f2477f88dcefaa1ef57b8f123c1b398632e7fd793ec2de045829a8fd7c708c828ebccdbcde0f5e42

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7b232d584650bffef64f8843958a089d

SHA1
73bf06bab73d11a1d83469c6a55dfc25ee1ab74c

SHA256
64160db832ec9bd8070afbfc0b2075bf4af98d20933646fc6b050269dc66d5c4

SHA512
f6520aab19abf2b024201f988a9b7cd150abcc5a5c15556fbf3158f80bafe57dd12503e7f34274dcc1024e623ee9bc3494d3f222274784b2a609d05a17d6aaf0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
cd913c44c1c83f8786a74d935ed30efa

SHA1
8a6fa1512e763ea3b4dd548205313b63ab1d2360

SHA256
8b5c3998edf0aa1a83b8f1c6db6ec47f60c45e682f3a63a4d0dfbd0e19e48275

SHA512
6b2dfae2b509dfdf4ac6c80386c6617fc48277927b142b1c9d91eacc9acb7c99b317c3928b52777f8ce4b2ad6d1a5431e5eccfedf5f755aa59a46b9792b46795

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7e7879fff1554ebdba9e6e7d2b269421

SHA1
ddba42964401a5c1677705efc00598ca5ca796ec

SHA256
ba19d2fd41abcbfaddfbaf03c1ce2eacda7a159cad3bb2961cf2dfca4fa8c58f

SHA512
1293b13168107d52dbd45936eaba0bcf9153ed5abe22893b5f6a82ffa15d873c15ae4d3e4622b3d8970474d85010cddfa7e5ce08db6d277f528dbf66136fa96e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
86af42eab807f349fae54563d9ddddc8

SHA1
a084c3232e44da96d8ea8c842ba28e207208fabc

SHA256
8fe131219ad5592876564244a3f026b168e17324bf0bc2be84d923ebdebe1882

SHA512
e8d2deb2b19f48766ab3dffab989b043bdaca7809216839f8b949aa89e95025fedeb5b13b36d65a308a49d340e11bd2fe91f6c2837be62f26cb6a8134e0ac2f1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
95b3e8da02d868d8192d64e98cafe4fb

SHA1
b3b6258a49b5a9b0d7c4118c4f3a8e4dd846be9a

SHA256
e40bc2e9ca3e959e292246d0e11933e41b29b68b6981fb5e6b2c3c6431cfab49

SHA512
167632e5481c65b1331c1b71cabc8fdb47814ff6611bf7ee0538ff3c7f2914999aa5d0f1517d967040285f21ab32cee1a20f00b38ac8e5eb85ac5636afb926ba

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.5MB

MD5
eecec8a1b415eb5651fa48ab3b09e1c3

SHA1
e0cbcbf1689435283a811aa31db21c355d4ca696

SHA256
490053a9824e2d2019bd44f4f2feda1a7d47803ebbbb6bae88277de27915e5d5

SHA512
cb9dd5a299a531c1d08d5d830e7e2512022c3f32aa27a14bda4b951a7fc87c870978d68b36c5b20e9e5ece76bd74a07e78549020fb6fe2b7b5333070fe74fe71

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.5MB

MD5
98173398b7005dbc3453e12a4e306829

SHA1
2bf70f584b2d17d96d18023439a8827c2b281cdc

SHA256
47f91b95340caec04cecf51b5347d416698d3f924ac2380338b3791f6afec5bf

SHA512
8b4c5d7008bbd4139d8869beb4545a59d432559c5c4ecab87b510533abf9517973eb53fe0eaf300f6806ae3b097a5557270c0daf563908ac50c29e2a93c4aa56

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.5MB

MD5
f004bc1b8651874b2e5def6093154f95

SHA1
08fbf4d3895769c036540592f11e78cd4fa18abf

SHA256
220dd54734d31e93dfb53c0b00536f5f5ea169f9f3ffb3434c6538344a64b511

SHA512
528688df1d4615dab10d073e9edff6845ec4f5950d282a969e6b471f5856d6b9f6d5c85553eef4b471f0ffe819d4544fc340b2426456624161e396e8a4f1e69a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.5MB

MD5
dbf281db02bf590101041d5b0b324211

SHA1
d80ffe158c844febfd08834e2fb035cea999362d

SHA256
217f85298594a0e80bc9c5f5457b00be32688cfae5cfe6f465151b8170efb9ee

SHA512
a8b30e826f143ce704ead008bbdbb4512055d3bb34557ec74b4e61eb56853a418b7b5cc1812958606c89eb841ce8be9cd36783aa9cb20486dc13d8371ff9ec16

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.5MB

MD5
7faf8b908076159a1d0d112952539942

SHA1
a82f8b4d5aa1d9944f693f98cfe7e0a311bcbb46

SHA256
c7e6b3f021bed1bc6cb41fec066f8182ca811a224b3e058ab9b60279eb9fb3c7

SHA512
141873ec918db2c42eb343c3e33fbc4c97fc799213d6282633f25eec580ff44003bb251f12c8a80d0769acac395fc93d9e3e4206512330357652f709bfafdf39

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
1.5MB

MD5
b9dd393d792ab666f45ca1382298c08f

SHA1
2b36b814a96eda82368a07b036239e11cd95871d

SHA256
b8d8e19374e5c718fcb7876666697bb05770debf804c65651c7ac2ecf9022e97

SHA512
daea63a74e5548568761d84a66075e765d79cbd5a35261b9a99792a78cb04014e92e017fd1c75cd9c6576e3c3e2427f54c7f121fa36db060ac213b3b152e967d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
1.5MB

MD5
a28325def2371b216be9277b65c36273

SHA1
313ccca274cfa6a441de8bfbd1f7a1d3ad221508

SHA256
9f163253e6bb15c9de5e5d0393ac8d83b188ba45bcc2cbb9cd020342fa4637b5

SHA512
7e86f2eabce3e9bbfd2cc781ee6d51b541d500c669f8225afd30c55f9a0effb62b31137acba42022b9488d33f52e9ded81b39c12e32db66ce55f47989325ebf8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
1.5MB

MD5
3730344ef9522e53c86fed8a1f420ad0

SHA1
f90e4aea0581e7f17dd7ccf4f0642584598cec3f

SHA256
79c67c3b3d93a3904ab3331ed00b4a77234dba5be08f7c7bb7fa13a3ebe3ea40

SHA512
168c07c5b64440fadfdfe24638b772164f8121c2d2d751d488a2b6d228822b2a54a1b91a463ecf62c86529276f9500720894c0ccbfc5cb00f06d87c0520a9883

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
1.6MB

MD5
70d2fcedef6da2b21cb857b885efb3b5

SHA1
8d7da08bc344d1be6252390e295e7708a47a9d95

SHA256
bf6242346b841630b623ee8858a5e58f7502d77b02f6664908a4206f48785cb9

SHA512
5558fcf55a94e1da41aad79784e08dc3dec02e543b879403b159bfc6edf27367e684f66c087803dea9f77f5024afb43e565ad9640a63863166abe2e01b1cb4ad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
1.5MB

MD5
468dc752320d0d8df5390da77c368063

SHA1
72a93cab45cacd5085161fba057555070ec283c8

SHA256
47deb2cfb419584bbace2d1e82b4478390e54e708aeff0f1d16e70fd3405ffa6

SHA512
d3b86548e599d41410f2c99bdf693c0b8291e62765983ec6550f12fcf6a872df2aeb7885e549f3e8a9260082b5a235fcc3103e487d7646dd4a7fc1e54103a648

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
1.5MB

MD5
35b336a71ff3898ff644e5e182e5fce9

SHA1
b737c6c815fac5d9a8e2e243ecd1c490353a0018

SHA256
64ebfd1c6ade500d2b100176065c44e6dfe2347d46c61d8a510f6d7f2d112f45

SHA512
c860bf17f7b9033b6fece7e547d77577fceebb17f01887c3e14eacf8bc9e77a6b5f2422e2f2d1d96e529c89348252ff7e2e642066ddeb3fc7a594ba22174db2d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
1.5MB

MD5
59cc5904f9f55857df40020e0ea994f9

SHA1
f6108f4b07206aa7a5fd377c0ac198fee40c8b85

SHA256
acdd20b83ada3317b9c14b0f72a597569002737366a731db283a5c01fafe230f

SHA512
da830506425f5575e35a93ffbaace533eacff87737e5fec210d39c47887ef440f1151cf45edccbc8f6f18de724503fffb12e31ca89db63c695f673dfa7b5856d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe

Filesize
1.5MB

MD5
78e814360c335f2d74c2c6de2f235655

SHA1
cd534f6fd326e18ba69269b50892d9d6f5028a9c

SHA256
2027e8edf7b939fca747c55d73e6378c4db408dbcbcfdcc00fbe3a63132a47e1

SHA512
4fd1eb8bbc25780d494bb1dd7faab4ee670100417c2e6bfd7f06fa2ca87d3f7f2b9b4381ad96ae228aad20ce570b85fe4ab661d5a37d99f26e6bed9f1a6b287d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe

Filesize
1.5MB

MD5
297c8ad3b84eaedc0ccc3dbe577cb76c

SHA1
d36a0771f3e9712043b4f6694bf3152bb57e5cd7

SHA256
bf64aba6c4a577ec5919848e1750e59645bb2f90f583d1283a23e657a489104d

SHA512
2c18c21e7d3d951abaa874a07499515f4f747d1c3b94aca8d453f7317cd44b63e70973b65dc22e32f13829456b129c5000fe4b9476f439b8a30a1336ebcce92b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a485b3f267ed0964476d6de428e9336d

SHA1
f921a2db35f1962e5a1d234fc795758794f69204

SHA256
71a15eaf17e76200a069302b1e9b0b7a2c7697bff5faca34f708549006db34c1

SHA512
5b39d802d6d7baaf37728b89b094d3b10a70d7a308a7a8b49f501d67ca5699363ebddc3b18e68b0cd64aa0a95ec7ed6f8e27395a06df8049c47740b58bb83522

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
08172b186b93376776b5d9ae18e9f17d

SHA1
acad454957c13cf21065afbe0d0d87b43fbaa9a9

SHA256
9b6933e1450510b7db560502cebc2f1639fc6c9e9aaf7b4d7c994ab9bffc2e21

SHA512
fc2ae0eaeaf6589a8aae0411f3f68ae952693656def922e4e6b51571ceaecbf9f152928e33528bfbcc804fd4752efa2057cfef7a4cbdfb323931c67e1fe09d6c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
fdddb1ebe9a43299d1238610d5d17a54

SHA1
48aa1fb7266876e659d96b037ce57719f100880b

SHA256
4b7e03a6437a2afeff5c0c393f15933813c553c2c06388e2c9d2a7719c207b3f

SHA512
88bfe0db90fdccfa66aab3d6f7cbb4aaa41e831738f80b3a6a1202b09c7b3289d34023b02539403a6efd413c1c22f93b013806d7719c1d1439d0e00abb9848a7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0200f6845c9f19e000466ba15de463f0

SHA1
5db7de0005c23ab4a33cc561f899e085de83fdf2

SHA256
2b2dc417f3bc924ddea7e65069f5dea9a6ce75ff7670a4f583e38c47bd570b60

SHA512
ebaa84861a1d84a990970de4e8543f3191f4b19fa90abb3c44a1e885c5478d0c208018d6ca6b28ee58c3d2b7590feb9a2c1441427ff76f1ba728cfcf9a5d22ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b62d5c498a0c18670aa54f731678b12f

SHA1
31c5c0052f8453b6436cc48bee18cb65012acea8

SHA256
d6866c17c340b42634672ce4eb5a1b8979fa30fb35aceb666a2cf1d081642d52

SHA512
840a4575969c87a3e45ec82c4eafa13cd6c934edc1524f7666637a114dbff88bc9833c49a5143886285ff4bb748041f085f29a97dd6b1bdd23e003ccb534a828

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
d4d6410c3d795a2f11f65d787987c386

SHA1
8c8254a18f244365c571abad9c03d02e79cae342

SHA256
4fc46c91781ae659626bc072b14dc78e7d6143277ff85639d9169bbc2f3be968

SHA512
f2d72ac06cb2dd06f179bd26b0ad9a9082f0805691007a0eadcf6aff1e6a352ff32deec61a3f3c214ad1432cf7e5e5839346cdbc665816403ed0d3726a21e767

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
6c1a22a8f9aa252c2195ff3424b9e300

SHA1
107b6e81ecb1bcef646bdfe70d3a02e53a0730b5

SHA256
a1b01d93d7d642cc0e68de9aea2757f75d4c40d720f5efec44233c5e8c01af3c

SHA512
ad788174d71009e5f33b9e82067abb2ef11a8bcb6808de166bd0e66a6192e186d50304e340c0589dd5638afc7f7885a1fc6f7279977644d81116a7ff6f3f8f74

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
eff9b558e8a29bfa184917da2715fa88

SHA1
cc16f8818150a96bedea70f6c3dfc9cce9771c2f

SHA256
09a1b8530dc1598e181c60347d9abd443bffb08e4e81f629dcf060af4d9ac47d

SHA512
79496c04ee6266eb836a7b03b487b863775904ea4c639c55b0ba2553e28a9e62fdbcc422db3d3661086297ce420b6e1c449cd54530a7e8439619c84c2cf71644

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
c43cb7370126acb497b58ca706c7cea8

SHA1
297fd4d556d36f2efbcf9f8440fdc97c426bc364

SHA256
e9b9143546fc4bd8a130aacea8ff3d6125ba8c2c9c9b192a07b0c9e64f458194

SHA512
98667c8c7e9b9de0d8a3feb23aa353a182f1db6b20cfb70dbe0d7f4cf2fb8fc66f11ea16163ee37b33755bd249ff7c1ab766fc12a51bf5a54dc530425849a83a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
37002df0ed89972f8f75679c556d6029

SHA1
9a7da3828f43c8c33e2be87ec455f523a17723e7

SHA256
a9521115a0501f35057a6da4c3ae5dd737a34d0e3c189a88f3dd80e5b00c35ff

SHA512
8b6341c16dbeff148de80ef2ed2fbbe0c4dd2a4d1e4b52a79b8901d82a4b4c72e4ac500f4888b008d969dc2aba12a24004061439267441812fbc06b9ebc3a20a

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
8e06ae43843408d3ac51d463838b1c81

SHA1
bb7352335e6503db178d24262c9d6bacbb2657c0

SHA256
082978af5f2d90442f221a7e57aa17997cdae4c603b6b6810fb48d6d1061ad34

SHA512
7e4c7802b70e684c852971a4a06d2dd55a02c2e39ae6132430c35c019852da7c7e9826df64a6026661307c58f421e21f992fba38b4427058c68468c9af362b22

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
07485a5b124a75cb5fa62d367d2241f4

SHA1
1aa0dda2b142ce1c23807c78932b2eb5bf8614cd

SHA256
45399fdb95a7147c6654f3ec83cd142631c57a4cc5483af5ea1ad4acb7d2eb19

SHA512
7261a33d7066d563b8dfe84b96dd84ed8e51ee14c6ad934f10ad95d5156f94b4f7d4c42ba9e63618adcf0c92adb753a60c3da5f9f577e740ff2606e70c244f6f

Download Submit
memory/1056-311-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1056-178-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1056-183-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1056-173-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1472-487-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1472-350-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1472-352-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/1524-343-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp

Filesize
9.6MB

Download
memory/1524-313-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/1524-287-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/1524-286-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp

Filesize
9.6MB

Download
memory/1524-289-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp

Filesize
9.6MB

Download
memory/1524-344-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/1524-369-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/1524-480-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/1628-115-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/1628-136-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/1900-331-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/1900-337-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/1900-319-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/1900-335-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2056-163-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2056-186-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2056-180-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2056-177-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2056-167-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2056-305-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2056-159-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2164-469-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2164-462-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2164-455-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2164-394-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2164-388-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2164-377-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2256-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2256-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2256-267-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2256-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2256-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2320-365-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2320-341-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-391-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2320-392-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2320-393-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-326-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2320-307-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2444-338-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/2444-283-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/2444-294-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2464-99-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2464-105-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2464-126-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2464-98-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2604-134-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2604-273-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2604-128-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2604-129-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2660-95-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2660-175-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2728-304-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/2728-301-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2728-349-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2916-356-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2916-397-0x00000000741A8000-0x00000000741BD000-memory.dmp

Filesize
84KB

Download
memory/2916-376-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2916-363-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/2936-144-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2936-143-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2936-290-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2936-150-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2988-190-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2988-329-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2988-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2988-272-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2992-38-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2992-39-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2992-16-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2992-19-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2992-160-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download