c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 18:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
Size

1.8MB
MD5

3c15109d6f84e3ea18adc427da642f65
SHA1

88ccb7ccfa628bb3e20fb18dff574f66d6bf9e42
SHA256

c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905
SHA512

4bccd6f53f3fbb20bc4a64e5e1d1d7919a8bed57dd3a8bfc6321895b0741e0440c698befc1f252d221a9e93cd45b7f71e0e9dbe8b52106eb9d826c4d51be6e87
SSDEEP

49152:5x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WABf9Ckt7c20+9qNxUW:5vbjVkjjCAzJSfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
468	Process not Found
2816	alg.exe
2764	aspnet_state.exe
1320	mscorsvw.exe
1912	mscorsvw.exe
2044	mscorsvw.exe
1756	mscorsvw.exe
2712	dllhost.exe
2272	elevation_service.exe
2212	GROOVE.EXE
2680	maintenanceservice.exe
2528	OSE.EXE
2500	OSPPSVC.EXE
2376	mscorsvw.exe
860	mscorsvw.exe
1324	mscorsvw.exe
2680	mscorsvw.exe
2404	mscorsvw.exe
2304	mscorsvw.exe
1724	mscorsvw.exe
1112	ehRecvr.exe
2904	ehsched.exe
1816	mscorsvw.exe
2592	IEEtwCollector.exe
2820	msdtc.exe
2744	msiexec.exe
324	perfhost.exe
1664	locator.exe
764	mscorsvw.exe
1808	snmptrap.exe
1540	vds.exe
836	vssvc.exe
2832	wbengine.exe
2888	WmiApSrv.exe
552	wmpnetwk.exe
1736	mscorsvw.exe
1900	SearchIndexer.exe
2916	mscorsvw.exe
2836	mscorsvw.exe
1436	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2744	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
744	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9349404bae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_pt-BR.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_en.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_kn.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_sw.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_zh-CN.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_sk.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_ro.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_it.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_sr.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_fr.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_gu.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_da.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_ms.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7E25.tmp\goopdateres_iw.dll	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{777FBBB6-F20F-4C69-AD63-5B778BD47F58}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{777FBBB6-F20F-4C69-AD63-5B778BD47F58}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{86C32B73-04DF-43B2-9B4B-29EDFBE039A1}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
624	ehRec.exe
2764	aspnet_state.exe
2764	aspnet_state.exe
2764	aspnet_state.exe
2764	aspnet_state.exe
2764	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2808	c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeShutdownPrivilege	2044	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeShutdownPrivilege	1756	mscorsvw.exe
Token: SeDebugPrivilege	2816	alg.exe
Token: SeTakeOwnershipPrivilege	2764	aspnet_state.exe
Token: 33	1172	EhTray.exe
Token: SeIncBasePriorityPrivilege	1172	EhTray.exe
Token: SeRestorePrivilege	2744	msiexec.exe
Token: SeTakeOwnershipPrivilege	2744	msiexec.exe
Token: SeSecurityPrivilege	2744	msiexec.exe
Token: SeDebugPrivilege	624	ehRec.exe
Token: SeBackupPrivilege	836	vssvc.exe
Token: SeRestorePrivilege	836	vssvc.exe
Token: SeAuditPrivilege	836	vssvc.exe
Token: SeBackupPrivilege	2832	wbengine.exe
Token: SeRestorePrivilege	2832	wbengine.exe
Token: SeSecurityPrivilege	2832	wbengine.exe
Token: SeDebugPrivilege	2764	aspnet_state.exe
Token: 33	1172	EhTray.exe
Token: SeIncBasePriorityPrivilege	1172	EhTray.exe
Token: SeManageVolumePrivilege	1900	SearchIndexer.exe
Token: 33	1900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1900	SearchIndexer.exe
Token: 33	552	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	552	wmpnetwk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2056	SearchProtocolHost.exe
2056	SearchProtocolHost.exe
2056	SearchProtocolHost.exe
2056	SearchProtocolHost.exe
2056	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2376	2044	mscorsvw.exe	40
PID 2044 wrote to memory of 2376	2044	mscorsvw.exe	40
PID 2044 wrote to memory of 2376	2044	mscorsvw.exe	40
PID 2044 wrote to memory of 2376	2044	mscorsvw.exe	40
PID 2044 wrote to memory of 860	2044	mscorsvw.exe	41
PID 2044 wrote to memory of 860	2044	mscorsvw.exe	41
PID 2044 wrote to memory of 860	2044	mscorsvw.exe	41
PID 2044 wrote to memory of 860	2044	mscorsvw.exe	41
PID 2044 wrote to memory of 1324	2044	mscorsvw.exe	44
PID 2044 wrote to memory of 1324	2044	mscorsvw.exe	44
PID 2044 wrote to memory of 1324	2044	mscorsvw.exe	44
PID 2044 wrote to memory of 1324	2044	mscorsvw.exe	44
PID 2044 wrote to memory of 2680	2044	mscorsvw.exe	45
PID 2044 wrote to memory of 2680	2044	mscorsvw.exe	45
PID 2044 wrote to memory of 2680	2044	mscorsvw.exe	45
PID 2044 wrote to memory of 2680	2044	mscorsvw.exe	45
PID 2044 wrote to memory of 2404	2044	mscorsvw.exe	46
PID 2044 wrote to memory of 2404	2044	mscorsvw.exe	46
PID 2044 wrote to memory of 2404	2044	mscorsvw.exe	46
PID 2044 wrote to memory of 2404	2044	mscorsvw.exe	46
PID 2044 wrote to memory of 2304	2044	mscorsvw.exe	47
PID 2044 wrote to memory of 2304	2044	mscorsvw.exe	47
PID 2044 wrote to memory of 2304	2044	mscorsvw.exe	47
PID 2044 wrote to memory of 2304	2044	mscorsvw.exe	47
PID 2044 wrote to memory of 1724	2044	mscorsvw.exe	48
PID 2044 wrote to memory of 1724	2044	mscorsvw.exe	48
PID 2044 wrote to memory of 1724	2044	mscorsvw.exe	48
PID 2044 wrote to memory of 1724	2044	mscorsvw.exe	48
PID 2044 wrote to memory of 1816	2044	mscorsvw.exe	51
PID 2044 wrote to memory of 1816	2044	mscorsvw.exe	51
PID 2044 wrote to memory of 1816	2044	mscorsvw.exe	51
PID 2044 wrote to memory of 1816	2044	mscorsvw.exe	51
PID 2044 wrote to memory of 764	2044	mscorsvw.exe	58
PID 2044 wrote to memory of 764	2044	mscorsvw.exe	58
PID 2044 wrote to memory of 764	2044	mscorsvw.exe	58
PID 2044 wrote to memory of 764	2044	mscorsvw.exe	58
PID 2044 wrote to memory of 1736	2044	mscorsvw.exe	66
PID 2044 wrote to memory of 1736	2044	mscorsvw.exe	66
PID 2044 wrote to memory of 1736	2044	mscorsvw.exe	66
PID 2044 wrote to memory of 1736	2044	mscorsvw.exe	66
PID 1900 wrote to memory of 2056	1900	SearchIndexer.exe	68
PID 1900 wrote to memory of 2056	1900	SearchIndexer.exe	68
PID 1900 wrote to memory of 2056	1900	SearchIndexer.exe	68
PID 2044 wrote to memory of 2916	2044	mscorsvw.exe	69
PID 2044 wrote to memory of 2916	2044	mscorsvw.exe	69
PID 2044 wrote to memory of 2916	2044	mscorsvw.exe	69
PID 2044 wrote to memory of 2916	2044	mscorsvw.exe	69
PID 1900 wrote to memory of 2564	1900	SearchIndexer.exe	70
PID 1900 wrote to memory of 2564	1900	SearchIndexer.exe	70
PID 1900 wrote to memory of 2564	1900	SearchIndexer.exe	70
PID 2044 wrote to memory of 2836	2044	mscorsvw.exe	71
PID 2044 wrote to memory of 2836	2044	mscorsvw.exe	71
PID 2044 wrote to memory of 2836	2044	mscorsvw.exe	71
PID 2044 wrote to memory of 2836	2044	mscorsvw.exe	71
PID 1900 wrote to memory of 2140	1900	SearchIndexer.exe	72
PID 1900 wrote to memory of 2140	1900	SearchIndexer.exe	72
PID 1900 wrote to memory of 2140	1900	SearchIndexer.exe	72
PID 2044 wrote to memory of 1436	2044	mscorsvw.exe	73
PID 2044 wrote to memory of 1436	2044	mscorsvw.exe	73
PID 2044 wrote to memory of 1436	2044	mscorsvw.exe	73
PID 2044 wrote to memory of 1436	2044	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe
"C:\Users\Admin\AppData\Local\Temp\c791af34dd29b232e14e5ca96d8769de441c2a2b3044ac3fd6d40cedd166f905.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1320

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 1d8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 288 -NGENProcess 1f0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 1d8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 25c -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 1ac -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2272

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2212

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2680

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2528

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2500

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1112

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2056
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2564
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
184e37a1384c38e8a6ffcad674e878e0

SHA1
eef8f4d8d1e0f5117a882f643b747d23e89784a2

SHA256
d29b4f1bbd5df51e98c37320dfb16f695230b15b8ea9d137aeb3a9218004e0ea

SHA512
578fca2dbb1fc51cc7dfaa1f383166848b1d4c7224960ae9d812ade99dc153a6337353031a617c030b291d58e61d6d46ae0abcc96a335b19fb6f462f99325b6b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
41618e22b8b2fa8da78ff65d2bdb5940

SHA1
596cf290204a5dabae94ea8d9c5aef53c0cefe14

SHA256
93987c3b08d0dcf99d19124a8aa6f5ab102f9f39e1e0d9b7f6bd3ad213feb198

SHA512
62e0e6f2000474359b3ed6be124719ed44d60da0090d57a7b36a9a34d43025e77a92bc0ea12bbdf7e1e7d880c538503cdde30a78befbd423bebc956107f561e4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
6df66ea8ebbf18f04b79152924417228

SHA1
ac103b1d25ac776ea8c7a42ba8f987fdb8dfff74

SHA256
e0026c75660bf3c6f66f8bd292c610a9c5c87be09846a57cac4afcf94625584e

SHA512
c91d2fbfecff197e5d510e4f33d50b401f7833131267c89faf63d8ce13ec811a25a03dc11dfad081eebae1a0ad86bac9f00a5cb6e129a34300fa62f5a3130bd7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
135702fa17b7af864852395af0d9f7f6

SHA1
e00fa21f562eb75fff9c86ac5c8f623b015c927a

SHA256
90e6d92797bf79f9606e56fd4b67139e47b3b3e31151cd3b465be4d7941f628a

SHA512
ec1b3de588e1d8fd1bfc6a493ac4da140927ca67a9a6d1bda92a7daefc6e1c4e3c76f1f0647d584b017824d8e64d257f93780e9cd63b7216ff4f9b2933b2a5d6

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
5f36cc5b05e912ff86c423aed8181f1d

SHA1
8a6981c1da3e906d17251c6f3a58f4de5835ee67

SHA256
fd80e6124a8aad1680c4fc89001665f4ba9172abb75e263f5fa290d0b82148dc

SHA512
faf40bce245de3fd022c034abadb80c7d4d496e6950b5b7f5e3f4a39e811123628cda438787a8bad3455618ca6f293d70478dfc8d4ad5014bdfe829fe54bd066

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
1dd904d63dac5f918a4134cd45a4f9b2

SHA1
87201dd6af322680b3db3997c6d78a86e502166e

SHA256
47c0fae3a94597aab805566ff72825108e60acd9119c19f0190201763aa7a84c

SHA512
f559b89d950149b3146d491ace592903e5ae47b133f9ac82bbc537c1921470a17c685cb2c54388edb5dc77fdea48eda49f03a4c60fb87b15486fc6f7edf58d2d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
913cbd988bad8a1bcc8a3793a7081b45

SHA1
3ba0f6acaab46d823a8c85a90c568549c23974a1

SHA256
f0db225b8164ad4b2fb52fca3ce4656906f3d094482543d8e524068b3e0a4578

SHA512
c19c14b7399fd0fa54ce2a14be793bf489645981450560dc6006a87b13703bbd5e440054838c062ec071ca1d60cccfb4235f044005a1afea4d0cd9ce2ad41e72

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8b9639f58fa2bcbf5a11da9adadee8b1

SHA1
883969b68dc4e447f785f6f511118c220910b0c0

SHA256
3c696053588962011577f3709505f2a7c85569d5aa9a4787b658684050bb5d61

SHA512
d737413c851dadcd5d51e5a9ce25fdd7a7232c428d71e12a1783a96df08cf6d8b11f150c5f8e774de6fdf9423e4e069fae40de49f25c2f999b9d0e63de647f80

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bdc99c77a8b14c999109604bfa0c19e2

SHA1
90de2c5379bc644fa2f3c24af4b541dd1d3489dd

SHA256
546b6168eb4f5f9d7cfeda86d903978f17bf5e40a7caddfdcdc9858fd7b8b5db

SHA512
89a528b005a0e2efc47ac94bcae75f07ab400e1b67e9b83f05ec0b60325854456db09a9e8391759909c3a7fe63fa7c873ab282a06f3c75bbd9f040489f3c2aa3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
f3af57c69eb213da67d30b9679f559ff

SHA1
964aa740e885dc82f8da51d52a82146b8aca3214

SHA256
d66e0901e9da874ae06ee5543089fc428fc8dd825d30b6834bbc4cee36890bce

SHA512
fe2a1cea452cede0ff82a15d5701cef9c34bb1abaf844a29a4e753415efc74448578d3452d5308333290624315d39090901ab269c32a33270536904cfeee7f26

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c572ee3adee2c2d45fdc6786a284fbfc

SHA1
485717428e761e43f5a72b014fb9a416b6d74ef9

SHA256
55032a9add670998740126857fc36d4fda610ebfd8bcfd4c2562fb55027ca3bc

SHA512
d7c0a171bf1a5c718df0e0133956ac1dfed32ef0f51a7a717f74d9122d61a09e157b4fe34eaa91940874ad8607e070a38f250bbc7b3dc3f276fa7690b9b5a582

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3194cac08ccc27306b28538ac9312e06

SHA1
52dffbddfaa33a41c77dd82c37b7fe0155f2c980

SHA256
a5bfd7a1ab83347d467c4ddb11b6d2c353c675a2d9b98a9f589c901fdf4300e5

SHA512
9fd2ec6c1c697b603e1a0667a72d9bb1b5010686820c3aeec0ece24423f6852ccc7f2654797da126496a215e0702ad2a856eb7b69567812f71723f7957f05938

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
6c1ce62810020a20c37f717c036ec17a

SHA1
80804447410e61554c7b84299bb87fbacc1435c6

SHA256
f40b94c39c3cfb5ada7e50ed57f6a3bd84aaf5561ee82002cd428954a8fca897

SHA512
8f85e4a991f21c64172775f74d9ad7600498623953ec118973565610bd945173fd31c7421f61e7b91bfd04418bb3a0ee2cff7cb503a0443760f7a8a407308b54

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
dc6e006322db65ab3d5cfa047101beb5

SHA1
9f9d9a73e94707ac485090d290dcf0c5f5ebe23a

SHA256
b7d43eae5adcc166b2fbaeca6f4f730509cbdc0431be4221194df8801911e42c

SHA512
37d88a2d8597085d94b4f62a915b032c5e10333c6b96b0acc95e959aa1c2e91e13a34827fdc98bc6740baf61d39c05868f1538f01c508ef0ded0fd7d2cd113bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
7684a8d0c1af3910e38ff1444e48177c

SHA1
1d322a58f712f59f2b0fecfc31aa6eb85c6d85ec

SHA256
0b2f2ddc6ded68e20a4d291d4f78d95d1ab800ed5d5727bccdb49e272d6ceb21

SHA512
c6b942c02388ea2d16d11a21f74ba0304ce146fdf7f0fbcfbfb6afd53c73ce76a7f5b1300ea7cbfc15eb3654c0416fe97d0e425996ebd6d6c6baf4aa9ba2ae80

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c7350f225e78b90c3791c836f13f754f

SHA1
0984ab1e1a1563489eb81bf68c391505fa2c438b

SHA256
9761760f863bd1ec9b2d393d207722a766d9222ca8406ac71c51ad89de30eef1

SHA512
47586eb6585b4b145a4b9854eec3f3bb1ebcfbf28701ce0db4a7ca4f26c9b30b20ca8b7be59f5fc751a3cbdba0f760c7528fe60df11ba524951fc39beed81a57

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
37db4bb56996247a7c20493cdbe438a9

SHA1
73e2fc3ba3c856a00d9ef1fe561b7e9f051d33bd

SHA256
9f89facbec13090e412705611fb1d24f41f052f9f6df62e58b51e09bac3e572d

SHA512
90962c18535b28a4d6653c1b8c582d8b941a2833b5e96c5281df9931f9b033b293692ca0b9ef624864616dcc465b896502a618a8e676a634838aed7e1070c85c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
e4adde42b759fbd1ab739ef05e9ce4bb

SHA1
7d55076d8290ad4e2d1513f11b73f1f0462d3521

SHA256
07bda966f3b1a5f4a022cf739196ffb2ac9f9fab090d0d426017f4707ed0a87a

SHA512
7e72babbe66010fd15a2529cd8bd3f2c63c46da2e4a22db13237d3e771b1f57767794d71a7f4c6d48e42e98eba8841e56ed1ea067d047963860d078f1fc9c76f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3736b6bde101c09aba467613f23f8bcc

SHA1
ccb970608b5712b0e9240f1fa5895da57f5c2b08

SHA256
0f89335504a4ecd282d64cbb1aac0a573a036abe6bcba2ad0a7e4879b228c17d

SHA512
bcbeff353ac9494c8262e87e0ee5876ee088406f62fc35062144575d8d5c675ebee44e7078418640549f97a53490355e0f1b13e555ce9f52d8b3a572ac8de117

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
5f475e885de849a8d4f04e7cf31380bb

SHA1
b56c4a94cecf667d37a2158a7731ef46179c4230

SHA256
5ad03f51196a89490b14eb3e0684d2b22e8dd5edbb736de775d4b766a7369416

SHA512
5eb0b57578f4480074d89dda1b1fcfcfb9f0d23daff1b0b0f298b9a978e6b2109cbf6b80f62bab825360572175ed8f8c38e8f1551e5bb113c008b92684be0f40

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
ae96264dc322498336472353d22d5b5a

SHA1
69a9d841374fe0cd6728620f5cede0536616d085

SHA256
636ac56a9e1bf6017e2632f8014ac0c2e26af1f9d3f9b4866248dc0dc7c13025

SHA512
2c8fa95b95df02c5a6560e8fd5e983029bd9a882b77e90881326d941f8650b447f9bace240a82828030c38cfeaf4a34f3c743a27e6f6268b6a48f72c2f9f0a12

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
b8cd41b10ae7f094f5cad555e04e9456

SHA1
f352f23adc547770b5d8da4d4c8fecd24388b1aa

SHA256
a6c3de7c61afccb0105dce9fe7f300b613c8081a36a3cd15c94ccf9ac10ae7ed

SHA512
83f7db3fe51fa4cd390b3552bc0b4ad93ee0150456f7e33f629914f0c7473fd8851b62a65c80406b84784418d538b51d5d9a0b842c5c82dd58ba3e669841c23d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6aea50a61bfcddac4a3213f947a7696e

SHA1
e82f16e5b4d5826bc40aaf7875acd99c89216710

SHA256
e86e30744183179aa81826884703cf56ba2ae108e694f0d84936f85f49f16784

SHA512
568554a6505974cbea0f006fa94c3d0bfc179e41d49596f881e4906750a7397514b71f78745569a192373db1a77bb154cb4929ba5b994d33db5befb977ca8398

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
133ebb6c3192ac01a83ed544599ccac9

SHA1
a01fafac028e0bdc78dc48a54eb10991f238ae22

SHA256
637202c9e670c3e32005793e0f96f403e31e852d4420ec7d00f8a0d7f91e3b7f

SHA512
9b3a62e03b408948032101d74e4f887d2fae188dd87835f922f1a279d738ad743681d9d1ee85aa6c4c5524a6e015753d6d5e3506e3d6129ea7f7affa1850b662

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
aaf3d059fecd171d4015762d46fae007

SHA1
bd8a79669e9c6825013cd822bcc91c68ea6e7d15

SHA256
a116b6418c5bf07e100ffd199ee7f902d97fbe6fc99a31e6dbcedf35d57baf7b

SHA512
7a4854902592065d64891254794d72a81140392a4fceaf998fad1d3e509c9afdef4d99427feebdf3bcfacb7e7751f32d6fcd44e8f352a9a19a635ad54891b69f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
69da9d752b8c981f15ed831793321f35

SHA1
4d8f22e165ea31d619d0b3531163c1abdf4672f5

SHA256
8a28dc3fc5f9173245310d682011fd90cc86fc0891c3e96a0bbaf06f450bea47

SHA512
3b1e118ef13f38b5479216b72a3f6de97f74eb6d73525ceb4da5deb92fb26fee2d39da6e6897a741194c8dd8bdc208104380d3d6c70b2e636460495d8c3bec63

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2aed1929bbbcc71c6d94d08aea690e48

SHA1
d95d69ac69b5c1c1d65feaf4e8f861f2b6e353c9

SHA256
d3d9b7c6d4107313a9b0680fd61007fe02253ebb98892d7f6606d06d832ec761

SHA512
e7106465867f3ec1e71a198881549959778464aac21dc44cdbb9124cae13ecdea1e42b1f1786e06dd0b2b6595ea17b8a86de7e7f1eeea79fc0b1bffc4b7be1cf

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f9820cce9400d17587754bb3d9f78c0e

SHA1
b766cc8ed4d5e321ea84db6e844342127c8e888a

SHA256
446e50ec4674042a5d7c90af10d9151b30d00f2c2b58076c344f5a6a4db0865e

SHA512
a271a8997de907df47db446bf618a18acb761d749dd0e79b94f3dac297bf717fcbe31222ab925649e3fa34aba00fd3174517381591252309147bc1ec0df0bb08

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
1366075f27a82471657d509396bb0a15

SHA1
523cef42322381263a823a229048a984a0066e73

SHA256
57844d4aae3992f5c7538be40b9654443d566d25a332b5186a38b3da7dab7e30

SHA512
7f10d3ed1f7351c6b6343dc9d425e259d2ec83e0c23d1d3403aec82903569e14634266ef76d4a5eeda6c3b1f47445493a4418988b7ac48b8a91a46e6b9366d46

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
31c7561d0b2a1218e05fa22fcd718fb4

SHA1
acb017ca69a4d0897e7c0f239c6014e4c8e68cf1

SHA256
415de79f51d6960618e00c2c96d0efbc5d0c3ff203ce2c3e59f788cff0432dd5

SHA512
755e12abd9102c0147b90b72e6f1f2879d934b3d491c2d5f3af7a745d76fbcecb3442813407b6b62987095887146fcebfe54d8276191368b234123a76698b757

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
1bf71a293bc2f0b0f3187d4ca830a058

SHA1
d68ce7bdf3789ce8cda86b3dce1b0a870f3b8c68

SHA256
4c75c8f47dc1cd43cd9c522f3de341b93544d47f96ae5505f688a1b134a5c84c

SHA512
45e980d87d46701170b2be3b7dd2ac036df00eff1312062fe0dc7520b7ef5da025511f79b53f38e0bf2224be1aad1c1920e8512ebce0094c11effd95124659f7

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
803c96c0e8a8a2b7e0a2d1ec9ac2100b

SHA1
8de5090b2c0bd34f3880a11856874637d873d52d

SHA256
254440c1aaeff699109fd99655c4b967bc5e65d8b5390d890aca3bd224669d42

SHA512
694b5e95387862d2b0ea7c127bf8255e4ec5c0db46f44d8c1caa6faf0b11917eb07967c4da429103bba8f807c11ed13f812a6f0f3b280c587d3b57618797084b

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
68e893a4bef509f68df4c7d930c21933

SHA1
0b8fa1c51cc513559b7ac13931968e8cccd90cbf

SHA256
7690ba26b6e65113ea06a8ef0ede11232e36036d0a2ed5c2114c99ef1d091530

SHA512
c35c966288346e5bcd49415f7dcdba64674141058991428666d4f4d5816a881d24e57639500fec1ddd17b0ed212a0d5b456302c1763e9ee69fec9bf564cb63f0

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
4f51850a4e2ecac9226b16fe09ba6562

SHA1
1939ad2efabd14a225e2dd6dcac3bd4350cf7584

SHA256
6b594439c3450c100c3e115de9773ee429bb22e922f9badd56db000c85b0b766

SHA512
8d638e9b45cfbe5d4734aa277df7bd780430a351bb0fcc00a55e347e1e86d3ea12866fb47a432bb427ec699490659429617b0398a311567e4c84ea0ee2a5c338

Download Submit
memory/860-382-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1320-107-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1320-114-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/1320-142-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1320-108-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/1324-530-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1324-547-0x0000000072890000-0x0000000072F7E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-532-0x0000000072890000-0x0000000072F7E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-524-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1324-546-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1756-163-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1756-171-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1756-308-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1756-164-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1912-132-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1912-125-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1912-124-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1912-175-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2044-143-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2044-289-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2044-149-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2044-150-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2044-151-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2212-290-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2212-288-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2212-347-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2272-277-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2272-271-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2272-344-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2272-337-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2304-567-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2376-348-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2376-363-0x0000000072890000-0x0000000072F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2376-339-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2376-417-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2376-419-0x0000000072890000-0x0000000072F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2404-564-0x0000000072890000-0x0000000072F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2404-551-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2404-559-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2500-519-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2500-520-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2500-521-0x0000000073E28000-0x0000000073E3D000-memory.dmp

Filesize
84KB

Download
memory/2500-332-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2500-329-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2500-341-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2500-354-0x0000000073E28000-0x0000000073E3D000-memory.dmp

Filesize
84KB

Download
memory/2528-318-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/2528-514-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2528-312-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2680-309-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2680-541-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2680-536-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2680-310-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2680-548-0x0000000072890000-0x0000000072F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-301-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2680-297-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2712-187-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2712-326-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2712-266-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2712-183-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2764-184-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2764-103-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2764-95-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2764-96-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2808-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2808-263-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2808-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2808-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2808-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2808-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2816-162-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2816-40-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2816-39-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2816-19-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2816-13-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download