8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
Size

1.8MB
MD5

b20241e25bcb4a283625bfe4a94f86d0
SHA1

6f0540a799fd334db7c42aa463edcfdc8f78d800
SHA256

8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22
SHA512

d388085833b8c094a88c4bf7ec4888d7ef653e5af0bfaaf49dfe024f0298ac1397770741ec2ca2a21825dd20ba456a45599d1f0fc522f92213586d7c6db8b329
SSDEEP

49152:MKJ0WR7AFPyyiSruXKpk3WFDL9zxnSUrfPOkhqvq:MKlBAFPydSS6W6X9ln3Okf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 28 IoCs

pid	Process
480	Process not Found
1284	alg.exe
2476	aspnet_state.exe
1808	mscorsvw.exe
2020	mscorsvw.exe
1672	mscorsvw.exe
2400	mscorsvw.exe
676	dllhost.exe
1128	ehRecvr.exe
2796	mscorsvw.exe
1448	mscorsvw.exe
3056	mscorsvw.exe
2576	mscorsvw.exe
1060	mscorsvw.exe
2624	mscorsvw.exe
2920	mscorsvw.exe
880	elevation_service.exe
384	GROOVE.EXE
952	maintenanceservice.exe
2232	OSE.EXE
1380	mscorsvw.exe
2284	OSPPSVC.EXE
844	mscorsvw.exe
2056	mscorsvw.exe
1684	mscorsvw.exe
1492	mscorsvw.exe
2800	mscorsvw.exe
2180	ehsched.exe

Loads dropped DLL 5 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a13cd78faad3ae89.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_da.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_gu.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\GoogleUpdateCore.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_ko.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_th.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_pl.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_vi.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_ta.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\GoogleUpdateComRegisterShell64.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_et.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_sk.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\GoogleUpdateOnDemand.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_lt.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_en-GB.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2185.tmp\goopdateres_te.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{66089FBD-88F1-4CAE-8F45-1E03644E8B8C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{66089FBD-88F1-4CAE-8F45-1E03644E8B8C}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2176	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
Token: SeShutdownPrivilege	1672	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	1672	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	1672	mscorsvw.exe
Token: SeShutdownPrivilege	1672	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeShutdownPrivilege	2400	mscorsvw.exe
Token: SeDebugPrivilege	1284	alg.exe
Token: SeTakeOwnershipPrivilege	2476	aspnet_state.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2796	1672	mscorsvw.exe	36
PID 1672 wrote to memory of 2796	1672	mscorsvw.exe	36
PID 1672 wrote to memory of 2796	1672	mscorsvw.exe	36
PID 1672 wrote to memory of 2796	1672	mscorsvw.exe	36
PID 1672 wrote to memory of 1448	1672	mscorsvw.exe	37
PID 1672 wrote to memory of 1448	1672	mscorsvw.exe	37
PID 1672 wrote to memory of 1448	1672	mscorsvw.exe	37
PID 1672 wrote to memory of 1448	1672	mscorsvw.exe	37
PID 1672 wrote to memory of 3056	1672	mscorsvw.exe	38
PID 1672 wrote to memory of 3056	1672	mscorsvw.exe	38
PID 1672 wrote to memory of 3056	1672	mscorsvw.exe	38
PID 1672 wrote to memory of 3056	1672	mscorsvw.exe	38
PID 1672 wrote to memory of 2576	1672	mscorsvw.exe	39
PID 1672 wrote to memory of 2576	1672	mscorsvw.exe	39
PID 1672 wrote to memory of 2576	1672	mscorsvw.exe	39
PID 1672 wrote to memory of 2576	1672	mscorsvw.exe	39
PID 1672 wrote to memory of 1060	1672	mscorsvw.exe	40
PID 1672 wrote to memory of 1060	1672	mscorsvw.exe	40
PID 1672 wrote to memory of 1060	1672	mscorsvw.exe	40
PID 1672 wrote to memory of 1060	1672	mscorsvw.exe	40
PID 1672 wrote to memory of 2624	1672	mscorsvw.exe	41
PID 1672 wrote to memory of 2624	1672	mscorsvw.exe	41
PID 1672 wrote to memory of 2624	1672	mscorsvw.exe	41
PID 1672 wrote to memory of 2624	1672	mscorsvw.exe	41
PID 1672 wrote to memory of 2920	1672	mscorsvw.exe	42
PID 1672 wrote to memory of 2920	1672	mscorsvw.exe	42
PID 1672 wrote to memory of 2920	1672	mscorsvw.exe	42
PID 1672 wrote to memory of 2920	1672	mscorsvw.exe	42
PID 1672 wrote to memory of 1380	1672	mscorsvw.exe	49
PID 1672 wrote to memory of 1380	1672	mscorsvw.exe	49
PID 1672 wrote to memory of 1380	1672	mscorsvw.exe	49
PID 1672 wrote to memory of 1380	1672	mscorsvw.exe	49
PID 1672 wrote to memory of 844	1672	mscorsvw.exe	51
PID 1672 wrote to memory of 844	1672	mscorsvw.exe	51
PID 1672 wrote to memory of 844	1672	mscorsvw.exe	51
PID 1672 wrote to memory of 844	1672	mscorsvw.exe	51
PID 1672 wrote to memory of 2056	1672	mscorsvw.exe	52
PID 1672 wrote to memory of 2056	1672	mscorsvw.exe	52
PID 1672 wrote to memory of 2056	1672	mscorsvw.exe	52
PID 1672 wrote to memory of 2056	1672	mscorsvw.exe	52
PID 1672 wrote to memory of 1684	1672	mscorsvw.exe	53
PID 1672 wrote to memory of 1684	1672	mscorsvw.exe	53
PID 1672 wrote to memory of 1684	1672	mscorsvw.exe	53
PID 1672 wrote to memory of 1684	1672	mscorsvw.exe	53
PID 1672 wrote to memory of 1492	1672	mscorsvw.exe	54
PID 1672 wrote to memory of 1492	1672	mscorsvw.exe	54
PID 1672 wrote to memory of 1492	1672	mscorsvw.exe	54
PID 1672 wrote to memory of 1492	1672	mscorsvw.exe	54
PID 1672 wrote to memory of 2800	1672	mscorsvw.exe	55
PID 1672 wrote to memory of 2800	1672	mscorsvw.exe	55
PID 1672 wrote to memory of 2800	1672	mscorsvw.exe	55
PID 1672 wrote to memory of 2800	1672	mscorsvw.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
"C:\Users\Admin\AppData\Local\Temp\8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1808

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 25c -NGENProcess 244 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e4 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 238 -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 26c -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 244 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 1e4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 1e4 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:676

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:880

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:384

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:952

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2232

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2284

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
177a106ca7762fc97c36f2b1b1c84155

SHA1
11296ad3436b4051a5b64cb7eac2a4b5a05a8b9d

SHA256
3b1b3cffe0b09c4aa6d8bb530ecadd730f4fc9888caf540aee3ec6b6271e4fa1

SHA512
ab51e19d13545cbaf79c8506f698ec2d349881b75660eaef7eeb4a3057d8c6fcd5b2aa212a458c43853dcb0856939a37bf0b089e6f43fd0b9ee795da07ad02be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
4d83bdbbece49c963fe3f4de6c9717d0

SHA1
805bb8379ad227e8e663f90fb2882ad2db72713a

SHA256
ff0f4b30176338d9b4ce081339e3fbbdddd229e49c293d5740a8de8273c89e34

SHA512
b689e3658c91a4a9853f7f16795316d3ebd2d50b39f865d24c55c3a749ee2e25a88eb824e2a689fae304f95faeb9fb0a6115c576a3da742080b9aa3251ce3772

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
149f6c87cdfa22d37e26bf6eee435de1

SHA1
cbb4b315c90a09b6e2f411c6a0f364a367c8be76

SHA256
0305bbf1ee17a7b35608166adb1fca6c064fe13ac0d9f73c7c56e9f9adc327a7

SHA512
3e1a819c58f9f2d3d41d96440ded526d7aff86fdfed1e645c5fb036bdc01ec185e44f127b373b3bb515b7670ed40e6365ce4a07a58b166bb99d8bc6e4b698aa6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e491851c8e396b2c311c88089d14ca45

SHA1
93a76885715ee49e8d765861b58431bb94390981

SHA256
fcd3b89a3f5a893be032fbc16c599778978e131876e3d881af0e5cbc8296c76e

SHA512
1d36e797a816eb2dc27d5641af6c1f0dd87e30cf517fec55b1fa450bb16dacf2bc1ce6a4fb7ffe10032b3f7b9bf0c9c1fda91bc47946652a899aa05f29b06f05

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3b68abbb7715b29115b08f0d7a558e6e

SHA1
564c855498092ea9efba236bd87644590dabf145

SHA256
ca36100aa62044b27441fe078be1961ab81b38e9ae98a1c8e3c845da6280ed41

SHA512
c3b3b95d7708da2f51042f076e4e7b29b498683d99889863409e4c0392fb8e2a9f521c6299c2dbbc27bd826bc0baf8a719f160408a92f3a07fd57f53d436867c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8ff3a3243e5b96923767da3d15c832e1

SHA1
313e04d7505f643dbb98c452d775e546036484a9

SHA256
46166279316dca54d272641ff45e6fa2f000d8a2d9c9d3e5ebce6eb0ae86a81e

SHA512
081aac5e0dc5f84129c3b325ec326b42647d1be3fdeb0ed817e07327151c377534523b9c9b6706b5823fd31e12ca4a9d1eb6c0a287f06ec6a27bba89445b31cc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
5fad904575a94110b127369957db3fc3

SHA1
0c307a983ceba14776350c08f24bfe1411977d4f

SHA256
1103af07b9e05629cdc99101f92d541486b744feda9fec9ab2521cd5da1c08fd

SHA512
6f82d79b3acb813c1753b55abb11c85702c2c560e9b557be8453802e6831f5d0b18846a02c9742ae3ae2d492432fa591eaf4576e16c133e2c39d253a50ec5692

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
27399eba048ad4e1e7fa446e5876d723

SHA1
bb837469ebc608d4255bf8c034ef3bfc95b76543

SHA256
3c3ecbac0e5a0827dfee717d89a96beaa1f66ffd9894fd339680f9801248f594

SHA512
1d16e33b0e22484b294afe2cf8ceb674c709a4cc3808e1903662cd337803a46a10730531609eaccac29bd12960f367b4050183b61d02e15426796ebce66f8a70

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a22f12a3ecc06fdc7535dc07aaa010d3

SHA1
55794fb1bfe43fdc3d014aa3b08e1d66c3a49ce8

SHA256
a71c4d8fd2e61fefe855762629c13e475297ed868c6008bc5eaf8e75ba9b3858

SHA512
def7f82d44bf6049a22ed4939232e5d1977f35ea321c9f8274d5ec3a78101e40ee034e58e644532a0fa33b8c2c6e863e55c974fd184e0dc14b4f267ae6989c63

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
eebf637279ea0581747ff23af9c61b72

SHA1
32b8b980ee79fdf5ed0cf297c4b752ba3ea371a5

SHA256
a0d269083247ba2a8d4f1f2a0c3cfa240c6c767d4bbc2a8612a9019ca5506875

SHA512
50065568c6860b6e42762019f56cbadd90d183fefdbb67b24996332fe3316bce5d7c17c6cd748f6adbe78bb0195234d9007267dc04953d111ea193813f1d5a62

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
15bc0d795b9e0fe43734d493dfce42e0

SHA1
ef83a337016f44e5735995c43aa171701b061368

SHA256
12c7ce5f2671b1da460271726e244d17cbb3ac0c891ed220831aaf1a7a4a5207

SHA512
346d2f7fc4210e686b8fe6f628e60be019bd0c6c2895884d831c0b7aaddce9389776d489b02dae0deb74947c9a1b92c67d5d3ff6da219620bdda5f0db6640195

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
768KB

MD5
ee8b1ac566d1f0c04cf700e00fb33fa5

SHA1
4eed098b9d5728895279caa4dae74777143e2521

SHA256
10461f19298f651da74431200397216c336399f0a177725127d197e0abe1e44c

SHA512
fdda372aff4fd4c84899c7b2548f549bb76cbf297615c674bd58ceea1c3f57a9e259ca09b84485cb63b394c59cd96f2fa2571cf79b33dbca6948d0bcfa8c87f1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
26e77012a59ef5a952517891bc43f2f6

SHA1
0faeb8c301a96b687961d5ba707e58075e394863

SHA256
81deacb3da6eff158c715e650917817f6d0fcfe1ea7848da5c892a3ae265698a

SHA512
c4dda35a8ba3c47984930460c46bf4c36f34e49337b29ea22bda2bb30149b9f9a7f58aaa372e9cae4764c792babe02d037309b042826acefc3cc4855d2f4a1d0

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
5c82f660d23b78b90227a3ced1a9eefd

SHA1
9244bfdf7be170189c6e8edcd80e35a86b30ea85

SHA256
0d3ad39be50cf36cb27f853d50f6a16d1d0444031e4b237cacd3c277c01a9913

SHA512
565fcb7997ee309247ab7fd38b5a2d4ec33b99fc6e12f74d08d22e40b4b264435e7556f118f56c9ce10d06e71a334fa013bbea93ed557dcdafeb37c2a3fe149b

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
0183ef03057dab119c08c77ef14fb4f8

SHA1
0c375390e6e8528de10ed422b0e5db5c011e3fdb

SHA256
9d9f71fc29dd9db5f813a74016bd353d3df6a1eeecd3191c9819dbbea7b7d8de

SHA512
0e214afac15cf9b91d0e4993ffaf0a98b63154fd4f721fc1f1172f2197f3ea119284af8c34bc285143b1537e8f3b15db9c110c09f78b71b3d74908670fa7ac99

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
447c2acb06e6c00b93bef9d4b2015453

SHA1
15b83ef2df8e20b410b6bb827cb735f47b2fcf80

SHA256
fd05111f02e821e66fe3a856aafd5a8e5e0df9f7a36440307ba488250f7590e6

SHA512
e31591d6198a5fae8ef225d8eb08f4de0513c527be2cee2f72f201e66af8b542a0fedf435c4aa1f2f91923e317763ba9e7bbfcb6be4633fbfad0691a145c3177

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
b263f8c22f6181bae7d43efa85a26f28

SHA1
5006e36eab3ee292ee04d7d9682703abca38470b

SHA256
d8580413ef1237e8a0bd8dcfe41b80b79a0a0757d5df8a587a47f10792bb54e2

SHA512
ba718cc30d8aa97b646ce661546c31c27c94cff2afaee0eee0e05bc1aba6499b6d33f4a01ae8681919879fe68c2a3aae98c3c97d775d600c75c79336561fdc2b

Download Submit
memory/384-392-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/384-386-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/676-188-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/676-181-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/676-316-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/676-180-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/880-369-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/880-381-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/880-422-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/952-400-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/952-409-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/952-435-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1060-358-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1060-359-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-346-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1060-340-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1128-325-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1128-194-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-161-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1284-17-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1284-13-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1284-88-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1380-437-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1448-298-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1448-315-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1448-314-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-306-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-297-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1672-142-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1672-141-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1672-285-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1672-148-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1808-105-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1808-111-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/1808-106-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/1808-157-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2020-119-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2020-127-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2020-120-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2020-155-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2176-271-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2176-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2176-0-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2176-140-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2176-7-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2232-416-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2232-425-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2400-304-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2400-162-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2400-164-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2400-170-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2476-179-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2476-101-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2476-95-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2476-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2576-345-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-327-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2576-344-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-332-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-405-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2624-407-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-360-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-398-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2624-353-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2796-283-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2796-300-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-299-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2796-296-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-414-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2920-376-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/2920-395-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-330-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-317-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-331-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3056-310-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download