783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
Size

1.8MB
MD5

4ae053d809ea918291171fdc4fbb83f5
SHA1

33fdf45ad8b05cd4752a5d421d5b28bebd3d2752
SHA256

783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2
SHA512

3d06d995d00b3aabd4ea4c7f5ddb08263038d7306b5837e8f9d34293d6bab2e6b4e3b9479d7b0a8eaf938aa09783449822e2ced03c06e3a8f82cbac682cf8848
SSDEEP

49152:gKJ0WR7AFPyyiSruXKpk3WFDL9zxnSg6KFdi2Ga9x3Ek0V:gKlBAFPydSS6W6X9lnNHFdi4VEk0V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
464	Process not Found
2808	alg.exe
672	aspnet_state.exe
1716	mscorsvw.exe
2952	mscorsvw.exe
1336	mscorsvw.exe
2724	mscorsvw.exe
2308	ehRecvr.exe
2256	ehsched.exe
2272	mscorsvw.exe
528	mscorsvw.exe
2768	dllhost.exe
2472	elevation_service.exe
1720	GROOVE.EXE
2608	maintenanceservice.exe
1752	OSE.EXE
2668	OSPPSVC.EXE
2240	mscorsvw.exe
2464	mscorsvw.exe
1992	mscorsvw.exe
2084	mscorsvw.exe
912	mscorsvw.exe
2916	mscorsvw.exe

Loads dropped DLL 5 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d1490557ae4ef42b.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT7C62.tmp	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_id.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_de.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_is.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_es.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_ta.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_fa.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\GoogleUpdateCore.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_ms.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_nl.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\psmachine_64.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_it.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_cs.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_ml.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_ro.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_fi.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7C51.tmp\goopdateres_fr.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9CDEE438-5ED4-460B-A260-49A4796054AF}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9CDEE438-5ED4-460B-A260-49A4796054AF}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3048	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
Token: SeShutdownPrivilege	1336	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	1336	mscorsvw.exe
Token: SeShutdownPrivilege	1336	mscorsvw.exe
Token: SeShutdownPrivilege	1336	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeDebugPrivilege	1336	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2272	2724	mscorsvw.exe	36
PID 2724 wrote to memory of 2272	2724	mscorsvw.exe	36
PID 2724 wrote to memory of 2272	2724	mscorsvw.exe	36
PID 2724 wrote to memory of 528	2724	mscorsvw.exe	37
PID 2724 wrote to memory of 528	2724	mscorsvw.exe	37
PID 2724 wrote to memory of 528	2724	mscorsvw.exe	37
PID 1336 wrote to memory of 2240	1336	mscorsvw.exe	46
PID 1336 wrote to memory of 2240	1336	mscorsvw.exe	46
PID 1336 wrote to memory of 2240	1336	mscorsvw.exe	46
PID 1336 wrote to memory of 2240	1336	mscorsvw.exe	46
PID 1336 wrote to memory of 2464	1336	mscorsvw.exe	47
PID 1336 wrote to memory of 2464	1336	mscorsvw.exe	47
PID 1336 wrote to memory of 2464	1336	mscorsvw.exe	47
PID 1336 wrote to memory of 2464	1336	mscorsvw.exe	47
PID 1336 wrote to memory of 1992	1336	mscorsvw.exe	48
PID 1336 wrote to memory of 1992	1336	mscorsvw.exe	48
PID 1336 wrote to memory of 1992	1336	mscorsvw.exe	48
PID 1336 wrote to memory of 1992	1336	mscorsvw.exe	48
PID 1336 wrote to memory of 2084	1336	mscorsvw.exe	49
PID 1336 wrote to memory of 2084	1336	mscorsvw.exe	49
PID 1336 wrote to memory of 2084	1336	mscorsvw.exe	49
PID 1336 wrote to memory of 2084	1336	mscorsvw.exe	49
PID 1336 wrote to memory of 912	1336	mscorsvw.exe	50
PID 1336 wrote to memory of 912	1336	mscorsvw.exe	50
PID 1336 wrote to memory of 912	1336	mscorsvw.exe	50
PID 1336 wrote to memory of 912	1336	mscorsvw.exe	50
PID 1336 wrote to memory of 2916	1336	mscorsvw.exe	51
PID 1336 wrote to memory of 2916	1336	mscorsvw.exe	51
PID 1336 wrote to memory of 2916	1336	mscorsvw.exe	51
PID 1336 wrote to memory of 2916	1336	mscorsvw.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
"C:\Users\Admin\AppData\Local\Temp\783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1716

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 184 -NGENProcess 294 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 11c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 254 -NGENProcess 23c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 120 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 218 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 340 -NGENProcess 348 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2308

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2472

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1720

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2608

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1752

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
b426567d620f2e052637f051e58ed7c2

SHA1
6853eb24ec61943feba2bdf36af286eeaf4e047f

SHA256
eb3e37e7e8d3666fe6f572ea7fd2c8b49983127ec98c6f14b687a4d158c605de

SHA512
6bec744550c745802a58ed1b86657091168b32495a182b86a86bc03b0a5417ad2943d785baa40210f399e4fd50fffa60f0da140df7853c32e196bfe75ef760c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
15cb73c24e9c499377b4620aec06d51c

SHA1
6811b98564390fee508510af6cc9b236229808ae

SHA256
4f16d518f9236037a8f196751ffa8e1f4b9be42a9ffd090f0fcb063296bcb975

SHA512
5ddfa2a26c62e3a7561d8ba83379c52369faf5b40ff7eca43f769ebdcb599b5b2e879179648fb8f72d4f04fee33e65f9624f06586e7314a0cb6cfe580f795bf4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
85f706753ee9d7425328efd8dc5b05c6

SHA1
3d348aa0e291906e027622f23c2c16d67693a69f

SHA256
fe78e3bc082ae756aadc78999d037b854f18cfdfd5a03b1ceab3c1cd3d9c9b4a

SHA512
c3f8cf823049dd8437c24d4c4713ff8fcc49c7649c6dc681eb272a7882cf278b57c6ae32e0f0351479f08664629096c01b6bdc0d8c0bf33e227e5a374614c9fd

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
43ebbf725fa89b3dd0fa62f869ea50e0

SHA1
a5ffe818dd72be2f0195c474993dd3575fad515c

SHA256
c7d6e6e63b5d1643d848885348064e0e8e8059a343e28ef485941457bcc1e144

SHA512
201e010ad120554343ca116ef394cb3ed4cf2b9769c993e6e6e70275145c37de4b354606ff21204898ad0d08f9b4c63b0a07a60a9fb826c23e10ece0bcf9287d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b67ea98fa175b1e9650cc3a8bd60cd2e

SHA1
c2f089051d45a1b8c0caaf053f3645d0c7aaed50

SHA256
37febb53703c4fd3781f0ec8bfe105a447e3d01510c84e0909d6ad64659c266a

SHA512
dc5f9e608bf7989d584754abb4fb61ffc7785b766ba097739a35c0064432019ebcae37da96fcbadee3960938763ff5016e6d96ba56c7c8612f06bea24e529e0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
42dffd2e4f3103fee2defcf031be4d75

SHA1
3e86505e15f9f582f86d58b8b425e5ead360f250

SHA256
4bcbe0c3f5b078ca10ba62ffa67c36e64f3b9d12eed358fe0eb8f783e29aee42

SHA512
1e328a0850a334af374168986b0fdf77cf9de70bc8e436f9c7b4c645a52f9f5b353991a84cd3e6a5a96e1a7fb69f2a96488060a6a8006c9f874263e96f281c23

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fc4290a9adf5d4beb1169469301e8f80

SHA1
4052b223e07208bb942e9c65e8834e6dad407bd8

SHA256
4a2b23d0dc1ebd3336cdb13cfd38f0994e4d98e077b0372285e3b2e347cf9080

SHA512
e01ea48c50d16b15df85b96504457434163507c7cf7e370142ce056bbfd6dd1dcf98b8b889a5f7f5a9667d91c60b744e8000bb5c2694d8af984fe8a5bb388a5e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
71dd03934ca53c547eda6dad426eaba2

SHA1
6394a73c1e04057939341f52ee01c7f34538678f

SHA256
4c5e4ee5c122ecf48c94518d50c4905cfaf3844c635fa0996e917f3e91500cec

SHA512
a2e0f08c278fcde0f99808ad305d6edd7920af72c7ea862c2beccb9d80112c806a1236e36d1ceb30a673f1236323d369d95cb94856beb0be447fcc0ae76f773f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0ad2117222004414dbb2005fd0682cd7

SHA1
f99e07e655435626cb039490c4cb50d3fbe7ce7d

SHA256
94a1e2399520c733e1bf5c4ba2f1cda6b6ace5fa863c8d2c23e456e2c7158daa

SHA512
a026d8750604e0a7d55b842442d8bc42f941269bc084afcc3b373ff2bac846c71be3d1e04867930c93f6bd0fd1032286e8f8ad60bbb14f91288443593ff46df1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
b362e4ba1b2d1dba93a640ef4ca40a05

SHA1
6ac3b28e15526b381c6f603aa59b3599ea75d28d

SHA256
9fee2189cf5756f7aab71859b838860c577f16ae51d1f8637cf371d92270f0b8

SHA512
0b2a22af2ae23af917385e1154b80a2d008202fd0e73549b99e9d03f645034e62c1a7fccea3a2ed3af52a7966040a9d7b7f24a8ba48d7695d173931e6af2b4ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ee3ad528d1fe66815a3633fdc4120c33

SHA1
0ae05ba119ed42c0f713d239fbfe37a3dc085349

SHA256
7f8244fe280b9bf5604b01eb0eebc30fe0a61eab7ecd6e7be6eccfe0cd961f42

SHA512
f2390a1b7c9bceff5b25f1da229c92d2697f1c32b02dcd30f30e96340749d784caf871cd586ba468f8e958d344140ef4cf1011ae6a47b9aafa27e0d1f1872a55

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6c8c69cf2af4a82b86071bbf1fea1cf2

SHA1
a4419023eed124a4e9b2e61b607bc40fffd63ac4

SHA256
9c23cb9642eaeb3aa6b6453f6ad603b09a8754255a91daaedbc21b7deb90f1d0

SHA512
53c16180a6679ac4ce9f9c1af76f15bc5cbceea7574adbc5a31c191622d3cee725b08a0ffce756475271055e7a8581b37ef7b920f72c209b7cee78225a3011ec

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d1490557ae4ef42b.bin

Filesize
12KB

MD5
255a040c3fd598938449807c9eab1f7f

SHA1
8a5af351818882fe0954c18a8c2b04026afb29d7

SHA256
2b87fc05b553e0992a214ce098ce9686c1cf87a4e1f4560fcf8c7fb73b07ec82

SHA512
775adbfcdc2f6e7203c52ecf37e16d78c4f4d45de6edf4e3c098ec4b6016193f3a2e7cf657fb4226c6b1d21f921ab76af51089f0cd9e3baa4a76f2e6836e5bd7

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4d3826665c51f2f14a781c3c55e1bbc2

SHA1
d53739a956958a7613e6fdb5f923d87def78d6c1

SHA256
e59fb177f1e157bf6636756c71742d88b06dc6e186f217815e85c7631b051281

SHA512
3d8fb78889b70815025ac7aa39b5c84373a90d861d0d565dd78d151ba22a871641c6173ce97c61c006abc9b4639c23760e74a15c93a470d812b9886678329b7c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c2d154f113b25e8c9f6aa2eab549357b

SHA1
949a66ef7b989a8179a1f56dfcf53faad4c6802c

SHA256
1e6527a067f05bf745afa5db6d157c34b4e1e8d009657af387d67f695188a0b6

SHA512
b8660d25df5c182c8addb44827a61b84fbbc0879590ba2b65f8432bbf5bd67d9663858aa9f0d674118776ea1a5f52fc3e96d2caf38ed2d6a64db2606f7929f20

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d0fede2ec1760d9c76862e1f787c031c

SHA1
79edc239fb67940b921895e5282c7c5ae68ace87

SHA256
65e3891c61f8500ab6e694f99a2b623d42a9ae2bfad76d37aaebe788a15616b5

SHA512
86d6adde21e921582d6a21f334ad9376d547df7a7fcf1e34489c71662308228a6a974a83dbc76a0bfc2718b89fcfbb6062b71cb884a17fb82770f5e99ec5a5e7

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
a3f1e5f17ad36d54328f62e94384377b

SHA1
e5a804348106209ffc40c1641c954e6b169087fb

SHA256
32c8f40c3a95a139ee29b33b2ac73149533f4735e1b6ee0f9b7640906c4a34d6

SHA512
31d7ef616a3fd8b446d8b37b5780bbd40d247f0ece36b6bedebc5a1cd91148a7cfff80674b2be50f68fb85e21eccca0ffa1f3e3dd86726210771af7258690d47

Download Submit
memory/528-267-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/528-300-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/528-264-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/528-258-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/528-253-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/528-276-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/672-85-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/672-165-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/1336-117-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/1336-261-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/1336-116-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/1336-123-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/1716-88-0x0000000010000000-0x00000000101DA000-memory.dmp

Filesize
1.9MB

Download
memory/1716-89-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1716-95-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1716-114-0x0000000010000000-0x00000000101DA000-memory.dmp

Filesize
1.9MB

Download
memory/1720-306-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1720-395-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1720-308-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/1752-323-0x000000002E000000-0x000000002E1F0000-memory.dmp

Filesize
1.9MB

Download
memory/1752-422-0x000000002E000000-0x000000002E1F0000-memory.dmp

Filesize
1.9MB

Download
memory/1992-532-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1992-527-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2240-497-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2240-436-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-432-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2240-508-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-429-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2256-164-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2256-160-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2272-175-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2272-256-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2272-269-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2272-270-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2272-271-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2272-168-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2272-169-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2308-162-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2308-166-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2308-459-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2308-145-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2308-268-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2308-147-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2308-266-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2308-469-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2308-153-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2308-158-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2464-502-0x0000000073250000-0x000000007393E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-481-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/2464-474-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2464-524-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2472-391-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2472-294-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2472-287-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2472-286-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2608-318-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2608-311-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2608-328-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2608-327-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2668-470-0x0000000074828000-0x000000007483D000-memory.dmp

Filesize
84KB

Download
memory/2668-417-0x0000000074828000-0x000000007483D000-memory.dmp

Filesize
84KB

Download
memory/2668-330-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2668-426-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2724-136-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2768-339-0x0000000100000000-0x00000001001D0000-memory.dmp

Filesize
1.8MB

Download
memory/2768-274-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2768-282-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2768-280-0x0000000100000000-0x00000001001D0000-memory.dmp

Filesize
1.8MB

Download
memory/2808-49-0x0000000100000000-0x00000001001DF000-memory.dmp

Filesize
1.9MB

Download
memory/2808-159-0x0000000100000000-0x00000001001DF000-memory.dmp

Filesize
1.9MB

Download
memory/2952-106-0x0000000010000000-0x00000000101E2000-memory.dmp

Filesize
1.9MB

Download
memory/2952-133-0x0000000010000000-0x00000000101E2000-memory.dmp

Filesize
1.9MB

Download
memory/3048-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/3048-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3048-249-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3048-144-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3048-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download