a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd

Analysis

max time kernel
45s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
Size

1.8MB
MD5

70c6971dece93378992d19050af772a6
SHA1

9258c52541efa035914e970a1c7341d7af3f28f7
SHA256

a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd
SHA512

0756cffdd4876547c6d98b0c294ac2806b2b88b6a6a41e24722b0f7bdf36773a05d5fb4f49235b43680d02c8b868f03167a49845dd9f5f93c5e7cbd21694ea05
SSDEEP

49152:MKJ0WR7AFPyyiSruXKpk3WFDL9zxnSSP4suIRbDv:MKlBAFPydSS6W6X9lnlPHn3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 18 IoCs

pid	Process
480	Process not Found
2608	alg.exe
2936	aspnet_state.exe
1476	mscorsvw.exe
2680	mscorsvw.exe
616	mscorsvw.exe
1268	mscorsvw.exe
1940	mscorsvw.exe
1036	mscorsvw.exe
2056	mscorsvw.exe
2072	mscorsvw.exe
2240	mscorsvw.exe
2396	mscorsvw.exe
2744	mscorsvw.exe
1628	dllhost.exe
984	ehRecvr.exe
580	mscorsvw.exe
2868	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae7fc600aad3ae89.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ar.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_id.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_no.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_iw.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_nl.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ru.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\psmachine.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleUpdateCore.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_is.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ta.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleUpdateSetup.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleUpdateComRegisterShell64.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_bn.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_fr.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_sv.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_th.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_es-419.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_lt.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_pt-BR.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_hu.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_kn.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleUpdateSetup.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleCrashHandler.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\psmachine_64.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_gu.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleCrashHandler64.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_am.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_zh-CN.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_hi.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_it.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_sl.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleUpdateOnDemand.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_da.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_de.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_mr.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_te.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_tr.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_et.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ms.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ro.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_sw.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\psuser.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\psuser_64.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ca.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ko.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ur.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_vi.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_bg.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_fa.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_uk.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_sr.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT2BE2.tmp	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleUpdateBroker.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_cs.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_zh-TW.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_el.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_en-GB.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_fil.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\GoogleUpdate.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_fi.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_lv.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_ml.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdateres_pl.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2BE1.tmp\goopdate.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1888	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2936	aspnet_state.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe
Token: SeShutdownPrivilege	616	mscorsvw.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1940	616	mscorsvw.exe	34
PID 616 wrote to memory of 1940	616	mscorsvw.exe	34
PID 616 wrote to memory of 1940	616	mscorsvw.exe	34
PID 616 wrote to memory of 1940	616	mscorsvw.exe	34
PID 616 wrote to memory of 1036	616	mscorsvw.exe	35
PID 616 wrote to memory of 1036	616	mscorsvw.exe	35
PID 616 wrote to memory of 1036	616	mscorsvw.exe	35
PID 616 wrote to memory of 1036	616	mscorsvw.exe	35
PID 616 wrote to memory of 2056	616	mscorsvw.exe	36
PID 616 wrote to memory of 2056	616	mscorsvw.exe	36
PID 616 wrote to memory of 2056	616	mscorsvw.exe	36
PID 616 wrote to memory of 2056	616	mscorsvw.exe	36
PID 616 wrote to memory of 2072	616	mscorsvw.exe	37
PID 616 wrote to memory of 2072	616	mscorsvw.exe	37
PID 616 wrote to memory of 2072	616	mscorsvw.exe	37
PID 616 wrote to memory of 2072	616	mscorsvw.exe	37
PID 616 wrote to memory of 2240	616	mscorsvw.exe	38
PID 616 wrote to memory of 2240	616	mscorsvw.exe	38
PID 616 wrote to memory of 2240	616	mscorsvw.exe	38
PID 616 wrote to memory of 2240	616	mscorsvw.exe	38
PID 616 wrote to memory of 2396	616	mscorsvw.exe	39
PID 616 wrote to memory of 2396	616	mscorsvw.exe	39
PID 616 wrote to memory of 2396	616	mscorsvw.exe	39
PID 616 wrote to memory of 2396	616	mscorsvw.exe	39
PID 616 wrote to memory of 2744	616	mscorsvw.exe	40
PID 616 wrote to memory of 2744	616	mscorsvw.exe	40
PID 616 wrote to memory of 2744	616	mscorsvw.exe	40
PID 616 wrote to memory of 2744	616	mscorsvw.exe	40
PID 616 wrote to memory of 580	616	mscorsvw.exe	43
PID 616 wrote to memory of 580	616	mscorsvw.exe	43
PID 616 wrote to memory of 580	616	mscorsvw.exe	43
PID 616 wrote to memory of 580	616	mscorsvw.exe	43
PID 616 wrote to memory of 2868	616	mscorsvw.exe	44
PID 616 wrote to memory of 2868	616	mscorsvw.exe	44
PID 616 wrote to memory of 2868	616	mscorsvw.exe	44
PID 616 wrote to memory of 2868	616	mscorsvw.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
"C:\Users\Admin\AppData\Local\Temp\a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1476

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ec -NGENProcess 1dc -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1ec -NGENProcess 250 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 260 -NGENProcess 1dc -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 238 -NGENProcess 1d0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 268 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 238 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 278 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 23c -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 284 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:984

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:2076

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2268

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:956

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:1068

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2296

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:1632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2928

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:816

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1372

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:3052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2276

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:708

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2292

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2844

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1852

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2632

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
126bdd3e044e8638286029075e50a5a1

SHA1
bfd95e3b61c14fc6e65d113e7f0e6cd34541f673

SHA256
f6aa23de8559d1e51b9e68f85650f682797e06dcd95d5f238785fc933bb03d11

SHA512
5472e836167e34a011d8853ee28a0d17f0afa148a564cd20ee1583e2938fc0e1e2c4e96166acde9c93921578e697888894ad4e892d5bc4ef13ccadb14ec575b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
9.3MB

MD5
e368b6969d9f60912a4e4a7cf70a6141

SHA1
876c615e149b84764ed482c897c7bfcab714c6b1

SHA256
d69e6e08398363c135e414cfa9df5b6a79f2bcf159db186b8f5d6066a177aa3f

SHA512
31947564c7108067e0fc214248bcff77a44a4f7564abbe65c08d49275e96416f42a278854e43f84bc55ee7a7431680e34379c0238f1089071cadd2d097740d18

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6faba9754859ac9636fa12aa1f35d35b

SHA1
7d83341fba9ff7930ae6fbe14d471da58cf36c06

SHA256
803b1b53343108bda9659c1445359b69da11d269c44d9ffb1a9f511cd4914f3a

SHA512
06dc8ea4f08c833887c87ab45fe68a224ec125c831e1074d57692f38f6c81c5e8f716c8e867ab7246932a9acf324da367d83ff30c69dc908c81a80926da05af1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f3f73cb2196d66cb744ad58475b9d5db

SHA1
edb25b2a521cf159018fe6cd9498cae102a0ba93

SHA256
f40056423eab86c93f23fba284b2424cb5e22503562bae8fefc0caca6bf887b8

SHA512
2ab7cceb76b9199417237fcbe3309c91f8168eff60527476c7e1d3b0f9e2cba42d8a3c921dccdf74bfcd3a0cd3c07e83504ac64cd0213e46748eff292b8ee3de

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e4cdcc7634894456c1b73f6e84493b13

SHA1
fd2c2c025e47ae89696064f34f09846d8c86e095

SHA256
97784ab4cffacc5f7b841ece23d04cea9f0e6133c41999764205b39637a234dd

SHA512
8eead4b533d9f2ca762db64989720b42c4cfddd887e4d20ccfe7f7ca761e13ba8fe55de79ad33fdc2fec4d38b3320b0145c9cd4a50a77cbd48834bbe37c01eba

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
1d58623395760fe1438d0127fa3b9d59

SHA1
ea8cbc01b546aee13841315cd597bef06481344d

SHA256
4d7ad08716ec0832ae69f1e60556477b0df25f2a8cb0c180f7f0d11650430b8b

SHA512
3241c4aca4e31a68dc10c01c7a0319a7fa9e2d9179faf5e377c3ecac7f14fc227183bb6c1f8ccb24c5ab33cf696e84820c1b7617b8e536c4576f95ed6eda89da

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
0280dda89c133332816ed57e748881cc

SHA1
13bbe3ac833138fdb336d97071e2916a25279de0

SHA256
00d1c2291bb33079f3657bbe1fca6883ef1285c98c7ab65ca50dcf344c343bae

SHA512
8249dfb309a55437e0ace4d84254366eac1b64175175f1648efe36c5082f18dd4771bb9caf17b3c77575d9acc697b2707784f6c88157dbc318a756a4447f9217

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
f55dfd68e637b065cb4fb7a269a95252

SHA1
780c645955d92b6ba4c7f96ec53ed9cd0f25fc30

SHA256
80674113e8badd105ab4022dc76ac2775779fbab9533b119f53141b1f751f569

SHA512
bd189ea33a58a1fb3cb4f64c6acf54a0b4bb847adcaa0aa3617e60af00ad59dc19f9fc42dc67004f2c373470c98434c25288571d258f30cc8be97e5fcf43b76b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
3b52eb37ec155f0977e389f0228d46c5

SHA1
f9a162b361b2ddf0e2ac8d1946090953a87224ea

SHA256
0c835b4f2fd698b1eb26d99fb1dbe503f495846f99bc734128d5acdef233bfb1

SHA512
feca48bc1f50e639af182dc56925bd08952d0fea33546752d1a7782866e69e5519d006769015719025e0bfa7f00d4703efd6e8b4244c898dca16c5eed132f542

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
bd8073d06ca01115a32e56908eebf300

SHA1
4edf7f0e85cb77f613fcd67ba00428d0a9313e4a

SHA256
3fa1aa7d4ee3557931d90e21329ae119e6cc89480faf993411dad25f7512a2a0

SHA512
f0d8da6484b4f4a353b5e03aee793373ed0ff39223f48d77e65b9ca91d517cf8373435b0da6c7b84635505a7de4eae410e8bb21087ed2ef6c107e46061ab3f44

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
0c337bfa4cbef886a686959da2578348

SHA1
b22ffb645ba832dbf5dd2bb7c91f01eea9b65a4c

SHA256
03df54f588187d5fde69ca9671ec76c18d561662275b391f6073f9bf449ab065

SHA512
24111c2a9e9cdacb3bdf95395c646249726e05b937d246e3e24657ac31cf7137e1b9f37c4c2d86b6b2fdc54dfe45883f9fe6865fc55392db24d6fc1615ff8110

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e7dd768b5f5ef189142106cb9a3044c1

SHA1
110df33bd45259d14a7a1471139068db97f63068

SHA256
80bf262b7b57e4977383e8709b751414ce28830fc5b3c79d5040fc4ef35bf74e

SHA512
fddaec8a533e841df4f7fdad20fc76407f58f3fbe8ab1309eb8edcc110c0f49b91a216c7eeab91887a80a9e8b467eeef62d0de8b8474e66ef255732bef40ee2c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
12422a5c9d39d3c0f8ab1c8c778e8020

SHA1
3d3603aa000dd12fa844368e0a02f03afabe721e

SHA256
dbf14a1b8f8e87a7b2555e3ebe0dbcc3567c8ad501eb21df8c37734f84aef59c

SHA512
d3d5a2f6ea4ec69a72609eeae0ec4895d42220319ac58b8b1e32b9853f2d46a010da8bdc2e485547497288ff358b053559e61bef48152d500683553ae72fd139

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
ccf3d585e5fcb51959f3fe7c7c10a96f

SHA1
6e12220c33be96e63abfd5a46c43a658629906a6

SHA256
ac16c86efdf1fbbdf0bf6d5e378891622518162023a826a8bf0e61f6baa10d18

SHA512
0d8a183160dc1e816eca794225a4827fdb461427c7c0fdc57f3ed9c00b2e96734061741e5d09c0add87378d09c23771f58289ae4ceda24412c0f790d3ad21959

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
91ff3c68b4cde0ef311c604294d995aa

SHA1
f8ea964eed0049296d8d98e5321ff35343d19996

SHA256
ed4a2f9ad048b3c233c6dec34381e270d9bf80fa600d3f4b4126e7540c6677b0

SHA512
2a43e392932495027469b430017ba613e474ba42bd9c9a49beba6e0ca2e3ab4c9ce2d2a3fe26b925223c2abef4bd86f40713c514fdb0abe121c702177ca60883

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
1cff4bde025732bc442bce0ed1e313a9

SHA1
6a843f0df6b9c2868af9a9b5d2e03af4ca8302d1

SHA256
dbe11b185d6166f2a1a1d372cb8ba257629fe2fd860a0ad91a09ef360ff4615b

SHA512
e1d52112c321d890fd491f21612309238386a43d3e2cec6e236ae8482b0435130ba91ef1cd312c0969899beaf7faa82504c44b8b2bd32ea1f9e5a4c9c67bfd2f

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
b9e08442cb5cc3a9640a93963a984319

SHA1
1e9eae6f6052c78a28ae22f292105ba7b1ffdf7a

SHA256
5420d4b5faae6a3b42dde410327c875d93427b6e0d503dac19ef268d3cb28161

SHA512
de37069d38c8fb0d0a3c722e5a64e4df8a800b452a2a264e095cee640c2b080d7172d1a6198bad8b662d43174e321f756e8f45c190551c3a1ecd99acfb89c859

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
b404c0d7483a3f5f1a14ee82109f01c1

SHA1
ee8518c237c7d573e05e93ce1b28929d745ebbbd

SHA256
8edcbaee8d946f17975207406a9973d7b38dafa4f0988d79fdaae7b216130ef1

SHA512
0c5438e6858d710d7a06586ffe7ced3848736bb2104e689ba1180e85b94bee1c28c806f172ccbfac395bea8183b820d12da9690cac4ef445f9f0dcfe11dcbd7e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
ce3226c889f589150c15c42dcb23c8e3

SHA1
a9b9ede8c61b8cd1b795e1ba8bdb7a022c79d91e

SHA256
3a3267519e9ada34bda2621b2c347d8909a4b0a3fcaa3f0a657f23938edede2a

SHA512
28b910e89a4bec5a9f7780061ecd6faee08cc382de20ff59bd860762e070f30ce4124a1184682a8deea51c9b8e172bc6f3e276bee26f136aea2e8425310f103c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
1bf586d32b12497a5ee0b205d40ddb8b

SHA1
a798cfc6c8c98d83d5b95cb4c20e44e056e24925

SHA256
2f31cd68df23c9cdb1d51017a2077f1f912b1a3fd2b52487cddc56ab1351e949

SHA512
20b5e22b78b221721b0fa91cce4d71997124a3dd74a9ba0e53102bf44444ce3970241f6933791792a8f519c0a8deabfe4e5b50efd2283eb8b8e0d024cc7b5eea

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5ec21c871a9d465e004f5f628660bf23

SHA1
11a5c67c4f26f19e73e2d642bd2e2d3d8952c705

SHA256
dfdf8f7c0aaee331a7ca43791721bc39f96779f9d3984fb66884d106cc34cccd

SHA512
b7dd96eb3717794bd3496ae92b9cc6a9d5f70221bea216d93281032b0a2c3e1e7fd6fb72580848bccad6445dd3a59f95118d9cf77341de9d068b3a3c44d8609d

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
e87d8b80cc36b9706b9d7bbb1324eccb

SHA1
2de5ef2485d41e6fd4c842af9a3b2f8e5da4cb36

SHA256
51a1adc8c8353d6dd3efa33bbf55035512a8a194e482e7d936ff6f9406b9398c

SHA512
f2c157eb59fd280d5baed2dae387c49235b187efc6e00620c1cf9633ca9d59e789effc6b48411ddc8b4fd0217ce442ae6ebb2454a253e207b785f5e6d46022b7

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
58e9b18f38d83c9f464d8c3868c8e93c

SHA1
1192e87d118aa8892eebcb5393c8bcc07f92a87b

SHA256
a5c307c3b02f55c2101dec6e7103e2774070aa50e68080cd25c697962ed72191

SHA512
182ed35a8083026141961aaeb95192ee173b039fc827174aafbf16f73cc36608478d5f34830fab734edf66e51f458bf8076e382415ff15afa00e38b148e5d998

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
ad2707705705c7fb10ad6d82172f365b

SHA1
af83992ea8ebb1bf9123f97842c33e94245c334d

SHA256
8729a07e9cdfaa8b0ab3e117ccbaeee297b509a56d41aac5ef38af03454be016

SHA512
9e67affc8d0e25fb5707d7d35a367885dcf0315c802f7f3ab3c67c02110e75cb7932d1356228aa01358d5d3699499e2446d03f3a435c925e98b531542e051a50

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
6bacc67712ea46741978993f02725a60

SHA1
e42c1c127dbaa094f6fd73d24338662ba4679df8

SHA256
fdfb697a45432e4ffaa9efc71913e62c6224b2c2a0841e2955057bd863d47213

SHA512
92e2a816c63ab777da37972f52637fc7bf0bb16a9d4c8b5777a0b0f8f64b9b0d8c48fbcd58f51652fee5eea27c05e0302eb6769423fca2364b9fe04eb650f7ff

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
3aa30b1715f580656b45b24e1550f056

SHA1
fb69d6351bde2913106c199b98c67640e5ae8b16

SHA256
c0cc6ebf89a5ba7ff7fd8a4de0c18abef0caaa693acab45a41660c1002fcfd30

SHA512
cfcea3577772e6b6d851c272de8ecf54c44a2ede09dc71f16f01f09c1767cb14bb7dd714581e8ff9da652e27d7c16108297372cd014b4768a9e3b088ecedc92e

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
47e9d94f71a382d862490e15f4d8e0fb

SHA1
4fd5d57e6acec583979d9efe6626941ce768c4fd

SHA256
97acedd38560ca196c29e4a222d17cb9ccc18bc323788ed962e79df0f49ae530

SHA512
7dfe4cbd11a097c32a32e7d152c1b5e5c19fced30380f8b43ae23101f98b91a8fe14a2c9bb40c8cd6d218be0dc94d1eee4a4d2265e6a0b255fe42c71ec544f21

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
8d47563bea26c52eb94271c962a5ac6c

SHA1
0b5244562ec0e2fc70ce881385a4804b823fd271

SHA256
f55620bbba7738d806453db67f509b3a2a5281378262946b90e1eac59f6804a0

SHA512
b88c82677ad93a953da2d3278b4d96ac22ba5fd0e64eb6a285c2bf3f95d8fbdf59958667209eb2c77fb6945a03aba1fc4c0f859e5551f41dfc344855003702c1

Download Submit
memory/580-373-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/580-361-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/580-366-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/616-257-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/616-140-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/616-135-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/616-134-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/984-359-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/984-371-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/984-394-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1036-247-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1036-271-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/1036-250-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1036-251-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1036-258-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/1036-272-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1268-151-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1268-150-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1476-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1476-103-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1476-132-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1476-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1628-390-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1628-342-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1628-332-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1888-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1888-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1888-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1888-228-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1888-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1940-241-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/1940-239-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/1940-234-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1940-233-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/1940-255-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1940-256-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-273-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-287-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2056-263-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2056-286-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-269-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2072-303-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2072-276-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2072-281-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2072-288-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-302-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2072-301-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2076-399-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2076-392-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2240-318-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-317-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2240-304-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2240-299-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2240-294-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2396-307-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2396-319-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-347-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-348-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2396-349-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2396-312-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2608-154-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2608-16-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2680-119-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2680-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2680-245-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2680-120-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2680-113-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2744-335-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2744-377-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2744-376-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-350-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-322-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-384-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2936-92-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2936-86-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2936-78-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2936-229-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download