dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
Size

597KB
MD5

e438742670f42b9ae38b14adc613183a
SHA1

e89548d790a033cac22125a3b6a32716b79c06dd
SHA256

dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5
SHA512

304b4725d4acd4e94c9727f3e3249c05d03dce50dd88e57d1a2009f3021b8d73f9b53a052cd2e1f9bd240c8571f91e20ea793a7935f697b00fc2a577a94c622b
SSDEEP

12288:Jh3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:Jh1N3RUDHNmdPCAaq8Nozgi/rE0TOj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
480	Process not Found
2224	alg.exe
2648	aspnet_state.exe
2840	mscorsvw.exe
2664	mscorsvw.exe
2476	mscorsvw.exe
1732	mscorsvw.exe
2752	ehRecvr.exe
2120	ehsched.exe
1820	mscorsvw.exe
1740	mscorsvw.exe
1716	mscorsvw.exe
568	mscorsvw.exe
1968	mscorsvw.exe
3012	elevation_service.exe
2220	IEEtwCollector.exe
2464	GROOVE.EXE
2940	maintenanceservice.exe
2404	msdtc.exe
2948	msiexec.exe
1548	OSE.EXE
1724	mscorsvw.exe
3052	OSPPSVC.EXE
1916	perfhost.exe
1664	mscorsvw.exe
2576	locator.exe
3020	snmptrap.exe
720	vds.exe
384	vssvc.exe
1268	wbengine.exe
3048	WmiApSrv.exe
612	wmpnetwk.exe

Loads dropped DLL 13 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2948	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\system32\wbengine.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\System32\alg.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\system32\msiexec.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\system32\vssvc.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4271e3d8aad3ae89.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\System32\vds.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1032	dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeRestorePrivilege	2948	msiexec.exe
Token: SeTakeOwnershipPrivilege	2948	msiexec.exe
Token: SeSecurityPrivilege	2948	msiexec.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeBackupPrivilege	384	vssvc.exe
Token: SeRestorePrivilege	384	vssvc.exe
Token: SeAuditPrivilege	384	vssvc.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeBackupPrivilege	1268	wbengine.exe
Token: SeRestorePrivilege	1268	wbengine.exe
Token: SeSecurityPrivilege	1268	wbengine.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1820	1732	mscorsvw.exe	37
PID 1732 wrote to memory of 1820	1732	mscorsvw.exe	37
PID 1732 wrote to memory of 1820	1732	mscorsvw.exe	37
PID 1732 wrote to memory of 1740	1732	mscorsvw.exe	38
PID 1732 wrote to memory of 1740	1732	mscorsvw.exe	38
PID 1732 wrote to memory of 1740	1732	mscorsvw.exe	38
PID 2476 wrote to memory of 1716	2476	mscorsvw.exe	39
PID 2476 wrote to memory of 1716	2476	mscorsvw.exe	39
PID 2476 wrote to memory of 1716	2476	mscorsvw.exe	39
PID 2476 wrote to memory of 1716	2476	mscorsvw.exe	39
PID 2476 wrote to memory of 568	2476	mscorsvw.exe	40
PID 2476 wrote to memory of 568	2476	mscorsvw.exe	40
PID 2476 wrote to memory of 568	2476	mscorsvw.exe	40
PID 2476 wrote to memory of 568	2476	mscorsvw.exe	40
PID 2476 wrote to memory of 1968	2476	mscorsvw.exe	41
PID 2476 wrote to memory of 1968	2476	mscorsvw.exe	41
PID 2476 wrote to memory of 1968	2476	mscorsvw.exe	41
PID 2476 wrote to memory of 1968	2476	mscorsvw.exe	41
PID 2476 wrote to memory of 1724	2476	mscorsvw.exe	49
PID 2476 wrote to memory of 1724	2476	mscorsvw.exe	49
PID 2476 wrote to memory of 1724	2476	mscorsvw.exe	49
PID 2476 wrote to memory of 1724	2476	mscorsvw.exe	49
PID 2476 wrote to memory of 1664	2476	mscorsvw.exe	54
PID 2476 wrote to memory of 1664	2476	mscorsvw.exe	54
PID 2476 wrote to memory of 1664	2476	mscorsvw.exe	54
PID 2476 wrote to memory of 1664	2476	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe
"C:\Users\Admin\AppData\Local\Temp\dadc6b347f9378891a63f62fd34e12bbd6eca3535906fa81e47cc908f71499a5.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2840

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1a8 -NGENProcess 250 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1cc -NGENProcess 238 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2752

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2220

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2940

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1548

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ee4a720bc3a16760aa6e664f1ace45f8

SHA1
db3b0fe451f8f04b0d7772ae6d457dea4b5cf6a8

SHA256
0d991e9fb1e9053de5a9949921c568043e31505c5461d8c8a9aebe36c2f0ae9f

SHA512
82dbe58a7b28c103f130db02278fb4e24fa2bbf071484c37709738e2e36ba77665362dbfaebd1384f0ad6e553396c89657b286b551c27ec7558f8afea38ae790

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
2da0fb0ccb421364238cd480a3f320fa

SHA1
cb4996223fe99587cb1fc41a10a2443c12f49a3d

SHA256
3c518132cc0a46aa9b15922cce53ee84bda5dabf2390fcc993f3768655c76d03

SHA512
c2af3bf3d2aafb4f4d055f498a8f76b8bb13cddc587b2880cfd3dd9f679328b5b40d153906124d7f6efdd39b97b786433af432107d3440c875ad8c8eb264858c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
48106b41bbf5eae060f65db3698f9b5e

SHA1
27131e1c9b01a03b47acf77b66648958807a64de

SHA256
3c60253a94fe1371733b884158c3408fbd6ae244c39218a1cfa1491c5d123fcc

SHA512
b142ffbd586997b2b80056d4f05d62b90cb5335b39cf2ad69d7bee4205e20bb4a6d40906d727832a1c4eabb7d451644565ab8460b63b34b50fe7e31f002f00b7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
52f988dc3557659832882c8011e49847

SHA1
976f0607ba5ddbcf100f3d979df1196627366780

SHA256
6e161ac787b09012ddbd48ed3306e10d02282b1d1da2472f31badab45e9f4bab

SHA512
0abd050981d1ddacfef766c849870dd7ee9c714939bd58d371effc42f273b28648ac75d828bdcaf4da317d3e2b9dce09cd3e71f409927b52edeaa1b3c465cf57

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c1466ed5eafe93b0fef08b2b28e2b4cd

SHA1
488314295cf30dfccecaedddbd583b3a53ab35fa

SHA256
d314fec2f37f6a46b587146aac45121b37d8a7706af91c3318c49aec00c6d944

SHA512
ea5ee9ab7faab90e62903592d482ef211185b2f26b18d13d91fd166c9188dd4880e98c7e838495138de31fe58f896fd4340baa0df713cc05999e6df0bfd18bff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
cb38a1d73e8530df3c5fa45e0ee2ea71

SHA1
40bd0a58baf4f7e60adbcdc271127926382067d7

SHA256
6ce3ba58d1f5577498ced23b6389278653d5f13022a50fd20b7d0b4aa256ddd7

SHA512
ed5f200511fcc6d1594548a0b76667cba54a94836b0b64f53b44652ec66b298c375aead800ab41023a7d0125537dd96917d37165316a7b8218b9dc7d95c77232

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
2a5040993f4956d09fa3825f28b296cd

SHA1
7704ec0f83bd520cf337406c4d3d29277439420f

SHA256
1883532fc5c55d6628bcdc3540fbe05f8d3fc0767db471cfcc8b584f11dd123c

SHA512
97beddb4724c6b37f2d5571d3a92c658803ee2499094df20d248bedf317d17da6700f4489c63dac2301892eccee058a4fec600ba5060eec5f00a5f472d6594bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
92e02bab1802bad705e9a71106ffd05b

SHA1
41aba344f873a8e72b68a2e331ecb71054d562ba

SHA256
3a0c38c900860541ceedf7ffed16be3e0c5235818f06590ad48801a6c05b16db

SHA512
addd704bdc202255dafff555625b4ce028e01d682e332d0226c7fe6c7f15aa4edadc5bd7a0f2d43feae50be425dc04ff7fa2762267bac1cedd18e28b17af83e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
1d5222ced9459af58cda80e8cdd5d69d

SHA1
748d9c6af394799a5e1138bbe8d3b05e0ea899f4

SHA256
ea13b24c96c3a94f00477268f6867c12b31fa38bdef392aab42801841d18e919

SHA512
8903cd488cea7970d66cb7b43b5ada7dff982dfc6967d8ed9a968f211f0794fdf5b529a82752968927b68355b6c626aa316377ec682d77efe6ead757368c48a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
fc220c10dfe962cb70b0814e90f69f17

SHA1
964832ef0481bb34e0375725058c4a776fb04f12

SHA256
af65259e821a0e425dafa9119cb4e793c38289fce382cb143a435f5435995549

SHA512
1a8bd893f3b26bc1c86b37f7291477e1a03c708595a6fd70fe7263ea803527caf82a2e9104a49158f9241b54eb519c12a8f670dff8717401d4d52d3f31ca6504

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
21760d156c8a14ca176414d29c272ba4

SHA1
e12aed60a475d173e6f09c2557d7f4f5ccd67624

SHA256
1d7c580fb9b72418c1b3dac3f9d7320038f4e3cb1e42fe7b833e4839b4f3bcb1

SHA512
0ce574a4df489465e39a6149a3d1c88899421aac71f79f623ac32be34a7efae77a38bf0c549f0a485cdb8d7f8774a22c99ca5115c5b40d157c106425b1ffd888

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
73c04f51cb063adfd2f84b5355cc164a

SHA1
74ce1a0d2f4e4c16f758064d9a850d25292dd607

SHA256
247848ee6192120ae5f02f58efd869004934aa580b5552c29b1f1370c4b66548

SHA512
2196589a622ef501003ed03ae33a7693e373785ea04859333c87be5fc70f6a9ebc32a038e99369807aac5f9945bbac09f16d0169dc235d1c9bf5ea8be0504b1a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
ca0e094d159d9a16bcb9eba7f0cdfa9c

SHA1
2a5b4d1bf07baf589cb774e911241b069217d2c0

SHA256
b356c85419853478991cf8773980bd1d339de728cf8cf12ea825338c1b6ced12

SHA512
edf38008f6ead088e8e85fcec65a62c0ffaa08a056e884e516768bc8c7bdfb19722904e20ddcc6b48e39531f33a8b0a57df61852b70521e3dc9420aeee520a05

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
d18f6df9196f5f83a9f1b46c24e94370

SHA1
70ed3300121bddcd9da42627c943c43964890213

SHA256
b026a1063cef150ae5625d03410f922ac60277a39d6830c40976c088d0a7c18a

SHA512
e09db293aef15969dc4e6fe16f9c724ca6de9ec4ada4e2a230ef17e77fc51ba454f59a5e841017d90aa0a2181baf39d1c98b04a0e223d01b92372b91dc713590

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
285e0cd960a095f10abab85d1d2a04bf

SHA1
f69fb1d0d7cd0d6a5ea6050c5a9e231e208e95f9

SHA256
1cfe40abfd2809591d9fa7273a68bab9d649eba0cbc552f1046f6738cadddb13

SHA512
4f3a13510800cc1918a41737a4a961f5b0ee6d61f4fadd2148620d145ca509cab72674d5263b8b7954bad1c44fe0d929e77a8a9ba2887f05af93320031d7378a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
04bc71baf50bfc5e91bd82fc700f063c

SHA1
68141eea3a71d1a5762272c5adb8de487747a091

SHA256
f39739c6abf768bfccb611a7f4ed7b1c1567dd6d7c3f53b87c347f6037c73ddb

SHA512
81cda8d8929cdc5ba95b5cd7d2a1164d4eb64c013f6e1cd5b79b15133fe0357c84a9965a12e25f3ce1b4c5ffa0fa8a52f55aa65dce130b06cbc2cdcae269cbb5

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
30cdc123e4d6e37a0a234a3d06201211

SHA1
e9559044533132f0cd4f6ab64047c39ad7dd466f

SHA256
141fefa87997b97bdd277e64e17d14b2f5f62645cac4bf014d4edab8df4bc92d

SHA512
c3113b506d9f38dcd3485d15c924dd7146fd95a64370d5ffac7ae79d4e82b1289d73bac415558b894ca40883595a6ec211bfba7e246e0c794db33394f99fd185

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
801976dcffd1e674a41518dc9fd7c442

SHA1
8761053a5339396ecda9affd7d2326af8aac39e0

SHA256
01e3c7906d2ea7ee81d307c7f8da419d3828691ff6aeb09dd8c3a36931c468c0

SHA512
26e0973c44c5d713b4a1827e7646903e78cb411512fdd276a4dc75bee510766c1c6fd02055d5fd7b7184bc347f3272cc14bcc27e4cbcd2f9ace3e1a8cbde8d3d

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
8726b9a4eacf3628b8e97bf6f904eb68

SHA1
9a36528fea759df9fbd1832ae2f434815fdb0c83

SHA256
1d0d24244cb81e381f9a03289752f1a3a7de692f88038ea3ba266213f057aa6c

SHA512
2bccc1d91392beef063a4a5c4a21cb1a43ebe15e22852afa2e38cd3b913636753637cbd8b83ae9fe88f4b9ee43c28fb72051ab778e4c58ee1d72b5b9dfc269c3

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
ef2ad035730886e233b98356e3d1ae9d

SHA1
42fcc5f58a17a876aa70dee427fd6cbaf239700d

SHA256
d40e27809b5cac96a5675af250531be2ae5a272d9d46a2d0fe874dae4bbcca2a

SHA512
16ad047a9859812eeb126bb2ba4a4eca41e9872830d1917583d046ff0820e5d05296b0e8ec4118b4d0382e7d5094a09251538a2543b6dffd179d733952f0747f

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
a1e9ee545df61b155d822e1358c69b47

SHA1
92d9c4ab75bfc75901843ce102a457dbc80f795d

SHA256
f119b36944157e5af80c005e6b7c395bdd0e8334b752eb1187f1cbe688545a5d

SHA512
f5ab29f013fbb6b3b8d252d56e7b61b3bbbd805508238fe3958493775e1f5899b990394c758d46255092cd54776bb20c3266dc7b02924db00cc4eae70b0e96ff

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
304b085657e940c1f881b2947adb3303

SHA1
0bb04c570c5e0ecc628d5aa7f5ce47718bcbf116

SHA256
0a87bf4618720f075e1756332bd96eb0b71a550e26f24ce5435150c91f2c3672

SHA512
d1f34c7c79a6ca2a1eb1e2439076f2459882a15dc13026e93c4bf7b0f833e92fffc6c0d777262236d059ba4553e4d3f22aa92b29780772fa6d9e72fe0cf3d47b

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
d2a00abbba6574cbe7cb220fe7207b4f

SHA1
1caafd4d761574979a63408f88e3c594b2d4f782

SHA256
60cc557bd68764b8f6db5a66cd1fce0fa9c926647e3503b7a0fbed361636dd5b

SHA512
36aed114bcdbd6c1a2609ec95bda3c10f27c6e505b154a8b017c09973ca150dcccacf1079d621c94e3b150902b36fb7152cc3f2f0603dda9f314df5477de2c0f

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
e74684a5c816b72de43537fbac3c27b9

SHA1
2ed3d91353cbd0bc65746580de5e07e9fe5a04bd

SHA256
a9251e843d16e0a2751f05353fc0ed3742a0b0ce4d856bdb04d488121db72dfd

SHA512
f8baa9e51c286ef02285512dc1885b7c547fca33aaa681fef5279bf662785587950dbed92b952ea5f0b99286c386d9ec0fd427d21d61d0d0ca479d138e35d0e0

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
1f67a4407935edbe01d3d2a1a55a82fd

SHA1
f386740b2fd8f24062a2f197fad4a4d2f5f450a3

SHA256
20b6813f83eccbd0835f54c3dc5f8930d6b351649fda3846adcd51c5ddf28c1c

SHA512
2387e0390eaaf2147d8255861eb18e3260201064caa5c4a3946419eb44edf8a0f9bd8744b6768e1a3f1675b86b6cd5c30a3caa9f503bcf4d3e19e4ddc05be76b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e3abc27963dbc6949f746b7852207f9e

SHA1
e638b095f3564995bbf59c41c2f1e96e85705599

SHA256
70761f071b715bbd00bd8e269e5e1702543b36f41954b6ebbbdef4a1c2e45645

SHA512
0b4951bcef4bf33a37436b47280bfc6eacf165409a7f2eaff8657a079c11b6d009c032b964cc842c48fc0adf645ef31a12fecbb39ce066282d4c1e5f10a8e3de

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
a939b8e74b89f59899bdaf32d2694e31

SHA1
1e06325a6066728978822672fd899afa9ae01efc

SHA256
ce792fdf91e40fc4fdd93b68fd115a86b38caa61d4317e7443a6efe5e3ab3205

SHA512
8fa3fb614469deb3f4079037dac1ec3622e5f0cb5bcc5f50e6fdd8f1168070962adef5fab0588d38e509b855c91e545eae3fdeb169041c90e84bd917464dceab

Download Submit
memory/568-246-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/568-236-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/568-189-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/568-193-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1032-0-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1032-6-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/1032-1-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/1032-7-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/1032-69-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1716-195-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-177-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1716-171-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-194-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-180-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-143-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1732-90-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1732-98-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1732-92-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1740-159-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-158-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1740-160-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1740-165-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-166-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1740-167-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1820-155-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1820-156-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1820-157-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-141-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1820-211-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/1968-204-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1968-255-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1968-249-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2120-179-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2120-124-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2220-225-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2220-272-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2220-232-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2224-89-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2224-13-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2224-20-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2224-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2224-19-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2404-265-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2404-275-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2464-239-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2464-288-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2464-244-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/2476-71-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2476-77-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2476-70-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-134-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2648-27-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2648-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2648-110-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2648-33-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2664-51-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2664-58-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2664-103-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2664-52-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2752-112-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2752-111-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2752-118-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2752-192-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2752-169-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2752-131-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2840-38-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/2840-43-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/2840-85-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2840-37-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2940-287-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2940-290-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/2940-260-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/2940-251-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2948-291-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download
memory/2948-285-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/3012-259-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3012-219-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3012-213-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download