Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 17:03

General

  • Target

    fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe

  • Size

    1.5MB

  • MD5

    059d36688fa358320ccc649a57cc3630

  • SHA1

    2f00d0f2bfac22d78c4139fb2050a13ec6f92320

  • SHA256

    fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aa

  • SHA512

    51dea25579fbc5f2790a820a493aecfb20aa37de6f1c86f049bdde85c856c7e8d607ba99325882664c2db4bf6b7fba4601b8cbd3d56e70f1d38b1e05468e4779

  • SSDEEP

    12288:D8G9hvvnGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:DTvmt/sBlDqgZQd6XKtiMJYiPU

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 37 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe
    "C:\Users\Admin\AppData\Local\Temp\fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2740
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2764
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    PID:2768
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:1740
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:820
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2304
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2960
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1740
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1dc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1992
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 23c -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2484
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 1f8 -Pipe 260 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2320
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1f8 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1488
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 250 -NGENProcess 1e0 -Pipe 25c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2620
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 240 -Pipe 270 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1696
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 240 -NGENProcess 23c -Pipe 278 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3064
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2952
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2268
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e0 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2376
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 284 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 1e0 -Pipe 280 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 27c -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3004
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 1f8 -Pipe 1e0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2180
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 23c -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2620
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 298 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2868
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 2a0 -Pipe 23c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1480
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2348
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1744
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 250 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2556
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1d8 -NGENProcess 27c -Pipe 2b0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:952
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2cc -NGENProcess 2a4 -Pipe 2c8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2492
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:736
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 27c -Pipe 2b8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2484
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2a4 -Pipe 210 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2408
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 27c -NGENProcess 2a4 -Pipe 2cc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2152
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1524
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2d8 -Pipe 1cc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:904
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ec -NGENProcess 2a4 -Pipe 2bc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2636
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2a4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1716
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 27c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2624
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:672
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1672
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2980
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2a4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1800
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1732
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2184
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2616
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:632
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d0 -NGENProcess 304 -Pipe 31c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:904
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 304 -NGENProcess 314 -Pipe 1d8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2636
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 30c -Pipe 318 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 304 -NGENProcess 320 -Pipe 2ec -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2624
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f4 -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:872
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 328 -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2992
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 334 -NGENProcess 320 -Pipe 2d0 -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1676
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 320 -NGENProcess 2f4 -Pipe 330 -Comment "NGen Worker Process"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2300
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 33c -NGENProcess 324 -Pipe 304 -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1596
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:856
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1524
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 2f4 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:336
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 34c -NGENProcess 334 -Pipe 320 -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1120
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2904
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 33c -Pipe 324 -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:264
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:860
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1572
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1832
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2784
  • C:\Windows\ehome\ehRecvr.exe
    C:\Windows\ehome\ehRecvr.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2888
  • C:\Windows\ehome\ehsched.exe
    C:\Windows\ehome\ehsched.exe
    1⤵
    • Executes dropped EXE
    PID:1776
  • C:\Windows\eHome\EhTray.exe
    "C:\Windows\eHome\EhTray.exe" /nav:-2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1924
  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2520
  • C:\Windows\ehome\ehRec.exe
    C:\Windows\ehome\ehRec.exe -Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:872
  • C:\Windows\system32\IEEtwCollector.exe
    C:\Windows\system32\IEEtwCollector.exe /V
    1⤵
    • Executes dropped EXE
    PID:1544
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:1376
  • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

    Filesize

    1.6MB

    MD5

    f401914b9e8e2a6f5c359dca8170b26d

    SHA1

    7f46ab3eb18ff9d19a2d2ad8a7dd53e6358769c2

    SHA256

    821c923bdea016e721170616a5e3c7e5cbbb463491f1c12ecc94a965bdd8b27d

    SHA512

    095b0b301e195485a60a8736a0b0eeb61c633a1c4ffe6fde132964595e1a3c74d26a0e96fa7cb6cc45f4cab5271e0fead8a21d418bbd2c96746dea92459e89dc

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

    Filesize

    1.6MB

    MD5

    3c2a4d09f73a8c0d7a508024db2ec6b8

    SHA1

    822b927bd0893bf193bd5f7e4713bdea6bdc60fd

    SHA256

    8306f4352afa426ac2b07eaa8529bc4bef99229b485b397f7778e036c2a2951e

    SHA512

    cbec83e3bc95eb5b7f005fe8e886333cec0b2a188aa35201c50a262361dae445df3b7aa0b5ac2cf7f6181af084845ab789749f0f5d85a5cf7df30324c86ff4f3

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

    Filesize

    1.3MB

    MD5

    1ac1d50f41debee4020651d77c4e90e0

    SHA1

    da6972e758c0e8a4182b4efc3d0ac06fe3c01255

    SHA256

    165fae0ffe7d4978b6167d0e00b555b81e5f8824fde244a7bc2eda2ef7bba772

    SHA512

    8231b2539484fbfcfee6b96427ad5eb4a6b4ba6b6cccad45b716533fc6136f03a9ecf66d0186d3132416a70753c8af72b7954dfff84da463cdb75f862a7acdea

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

    Filesize

    1.9MB

    MD5

    4eaeccc7fee1276a2329b0c51549941b

    SHA1

    88963eedd77c19a0357eddacb391e191d8d16915

    SHA256

    f64afef7d807700105c058be75d958997c58d37464bdcfd68ebe1d4b61614f78

    SHA512

    f3adb54b19076601f2c9410cf314b68cea8e6aaf6e38525395f541fc3f49fd8f671321adaf3266f2f87eeab1015d545a5c89098b831438ff70236610a24582ce

  • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

    Filesize

    1.6MB

    MD5

    73d3bb7bd3ba5dba304da96d0338c70e

    SHA1

    93efe08310b89d014625fc1e7cb8adcbd93f3795

    SHA256

    66c9df74ea454824385375a9c2397df43de9fa475560fefe1b91baaae0ef8943

    SHA512

    87529d9c2ea3b2eeac43e778941f24a2a0b6ce891b32829bcac8dda9cc27c416c4b191bec69359377a95514c6fa433bfbf48a9b5ad8b12a03133836e871a44ad

  • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

    Filesize

    30.1MB

    MD5

    31fa90033f60337203efe60cec0bf512

    SHA1

    ea5632150621ee48e526ead97ad80fe55033646f

    SHA256

    f688ec57b619b311a0760c4f3da400c1b2715805ffb516b31129dd2f9d9fa5c8

    SHA512

    a142254009c10c56ef1cd45fb4ecf69a8197f2d872f53dbf87e6b688c7c337622210e3aa1f67b7fb9a8584bc4581e4fe3b94becfd2abf40821814e4b78818458

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

    Filesize

    1.6MB

    MD5

    3e2e3227ec8c893dd045cd002384504f

    SHA1

    60694157e6e92b7fbf19cd07b7ee05c3dce885c4

    SHA256

    012d9074cb9992f0dc6c51a598002e8f7f6f35563482c9e0cc3b97cf65a5109c

    SHA512

    5becf41d877846c64efe0528d1ff7a2da07e708f975abe122979dc3b65bf07c62580323fdc4c83f96a914cb93503611db70a4a1b1c46af36cee7dd142d27905b

  • C:\Program Files\7-Zip\7z.exe

    Filesize

    2.0MB

    MD5

    0de6dd94557bd059ea4d503084d98fbc

    SHA1

    223591b9f6de59b3f7fdd95a6199683028ab087c

    SHA256

    d56ac8332826e37e5e9fac49517f8672ae06d3b7f151b45d9bf77a806eef57d1

    SHA512

    98b4f086ef58cc34fa71d46f7477db6b4545b8d1a9740c4debd94c70f32d3fa3214411fda244209c09d9055623833cc8ea640cdcac6ec0a4fa64aef6c1c5d602

  • C:\Program Files\7-Zip\7zFM.exe

    Filesize

    1.5MB

    MD5

    e2395bbe0e26d1e60e7ad19586f0caaa

    SHA1

    347cab197437a94bc1f90c2ea4d63d31fb6fc5cd

    SHA256

    30061afe913529f43252af5f73c3c28d50c2bf41bb3cfe6e575b106ab738a7bf

    SHA512

    2bc52cad15653b36135df5cb38970f83262bccfb481c4153aef9f2afcf2a891158d3005b11d034f4a3dad094eebdbc74284108d423b128c7e16827d9ae3fd671

  • C:\Program Files\7-Zip\7zG.exe

    Filesize

    1.2MB

    MD5

    85a48d3d423e164b798a6ed4cc9c0334

    SHA1

    db36cd2b585d8421c5ebb0600d1e97f1e8ac20a0

    SHA256

    7a97f570609cc20c4a9064d9f79b90c26302fc271f2523cdb0db77de31eeb8f8

    SHA512

    e654bd3bc8112189ceb98ecc24642ded578618d5258fa886faf5145712036a0335331a3a003f80675ac1efe6bbe256b03b9266bdb12b91fd9be7f85baf8525a1

  • C:\Program Files\7-Zip\Uninstall.exe

    Filesize

    1.4MB

    MD5

    4de18018556467a43a82101161bbb388

    SHA1

    6c13d6019d069cde1ab86930f7ae54eed4814bef

    SHA256

    ddc5a92c7e779b98ad1fd8af86c6db30169d68e404608f4dc781a9dbefd02449

    SHA512

    583d284086ce74c74695de4420d97b2862fe1981f31154e764b36b5e08c3d994229347e4713c4ec4685b313ebb90604c6b0cad24bbde4eb2abad956deaf76af9

  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

    Filesize

    4.8MB

    MD5

    0864111fd99de9aa4baf991055e2e519

    SHA1

    a06b1550aacd25c15fd2a3ad1f17e803db26cbca

    SHA256

    f62795fb8efa355fa48f12a73aa591fa95b0c06662980ee99fa592612900e24c

    SHA512

    38f3ca3c8f093c95bff47507ad76eddfb12af4cfda020eb2fba87f63b6bfe790ebfeb9789c5ebf70853a56043daa6cba8c8681fdae3330e858240489bd105f67

  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

    Filesize

    4.8MB

    MD5

    3def130f626d348d16be2c87b9dc855e

    SHA1

    076eef23f298b999e17da4f60b8efb942ed5e691

    SHA256

    712fdd98747962bdeb40f5f0e4c7b43613b056b6e40aeeed68a4b0d36e90595c

    SHA512

    b9ca3313023e928a0dad94ea5a694fbefc0c069cbcbdfc8eef59d2cc2be2583c9ba646a477b1f4942bce4b05037b89e7ccdc082b51d85e9693c6ed0efe07bf57

  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

    Filesize

    2.2MB

    MD5

    046b6d3c03c5505d5d68b9a9cc08173f

    SHA1

    c1fb4fcdde94b4a47e1da7a42452d95347bce33e

    SHA256

    0f34341cfbb6e93ae87af528e34c4528b07dbe59f9bb7a2aa4a4363532d7c2b3

    SHA512

    7760f6717a2c84c8c424205a1727dd2978b6316bf217b8dfa911196648da94d73420f7ab715b4c5e0845caa0bae644a42fbcc3ff9d19ee5e0d18f6f04b9192f3

  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

    Filesize

    2.1MB

    MD5

    195fe9aa82fe8cd68a3fa70f067fbcf4

    SHA1

    ee2e7dbf260332e68a61d3c8fd0a4f0aa6475eca

    SHA256

    34b55a6ce51e731b5936de9aae3f8d792169b70a1039ad09c3b7fb05ab4b08fe

    SHA512

    65c72ceed7ed5625bf5b32ba37c10e87bed844f7f12984e2a6e0f0abd8bd6d122abb2b9bee9e98c7e3628c571ad4ff578ddc7e1fb67b46b8f825407eddebbc9a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

    Filesize

    24B

    MD5

    b9bd716de6739e51c620f2086f9c31e4

    SHA1

    9733d94607a3cba277e567af584510edd9febf62

    SHA256

    7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

    SHA512

    cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

    Filesize

    872KB

    MD5

    de0f96f561a85f9673db2542cc7ca557

    SHA1

    4d5755f52fd41e028706c091614da542fde894c3

    SHA256

    32379d80075c8df7a039f994b8f2d241f6703c8858b49f0aa45c54ec88be7831

    SHA512

    9bd0a2dce9e6e24ebe781b2e6ddc7d885a428955be8b7750792b1ce03e731c909345f3381ff0df0d21c456625d48e92161e996a32d55b11e930c9b8cf1ab4af1

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

    Filesize

    1.5MB

    MD5

    8e575b280ce1af7e06d50f16ce160d0e

    SHA1

    b4671df17e75c4e54ba212a0b1ab5135563ca507

    SHA256

    38b037d2000b120f99878fe0c7d0073992f21175959a8621bf551fef47cefef2

    SHA512

    cb236c62d768f3b25d8afd384e7dab0db90a46b2a99da270f413fc8b4b49aa5ac33822a4c3a5f1868e42c87f411dc7237e1ffbbc5e52e26ecd5315e8bcd57868

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

    Filesize

    1.5MB

    MD5

    1e6f57c210046e2d15a01d49e1a7f4ea

    SHA1

    33a154f82571a170983fb5823ba7eca0fc1c7e82

    SHA256

    1a89391c19d663669c2bc5209ba9745459e36a92528ae8574d380c189712a713

    SHA512

    c14ae51983c18d073ff8f356705b2c2c8482a872680418409efe32ef462d03a37969c6a25c5b4e6671086e8ef366791e073e4da409634ea94095506a9ec2325d

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

    Filesize

    1003KB

    MD5

    1eec3a0b9e19b91f8e35669572547546

    SHA1

    53eea895127be162e46af675e5a566e2709035ad

    SHA256

    b2e388483d2af050efe4fe86083220063e0904077f896ebe1da9cfae7b723144

    SHA512

    c0cb30f37c2fbaab7d2b44800a28cfa1c78753412b54ccc0317b91c7381090e48169d106ca9351d615995813d5306676613e0010455c704b86fa8babfbd11be7

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

    Filesize

    1.5MB

    MD5

    fc30a84033ec925271ab354904fe15c8

    SHA1

    dd1a35777298850f9b5d2ab923806715f5260b47

    SHA256

    82f2d3a49b983815e0b959db38beb64422128216b7b2c2cf02598d36fbc747a4

    SHA512

    6c5fea18ab0f82b8c9281b4a08a75612b8e0d19c3a4c7ed7e2cc0ce9cc6d6b47fc3a7dab16b0e7f4edd2c7f88b5b6c5cb442881ac06ba7236c34a2b569b51049

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

    Filesize

    8KB

    MD5

    f99d36e430229fa34d0cd106f00ff9a6

    SHA1

    b2b70e60ef73c5ebcd6fc78fbb06e6c620e80a81

    SHA256

    8a39bf86a6715349139c0d1d0f349dbad7011f15fcf9207c064f118e2a4a6ebd

    SHA512

    def4ea7962b49abcbc0f52e68aa13a40c0a9b91b9303c4d0b739a17996b515dc5e8231eb118422a8ba47207115111fe71c8b4cfd3725a9409fd80dd9d5d3f809

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

    Filesize

    148KB

    MD5

    ac901cf97363425059a50d1398e3454b

    SHA1

    2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

    SHA256

    f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

    SHA512

    6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

    Filesize

    34KB

    MD5

    c26b034a8d6ab845b41ed6e8a8d6001d

    SHA1

    3a55774cf22d3244d30f9eb5e26c0a6792a3e493

    SHA256

    620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

    SHA512

    483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

    Filesize

    109KB

    MD5

    0fd0f978e977a4122b64ae8f8541de54

    SHA1

    153d3390416fdeba1b150816cbbf968e355dc64f

    SHA256

    211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

    SHA512

    ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

    Filesize

    41KB

    MD5

    3c269caf88ccaf71660d8dc6c56f4873

    SHA1

    f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

    SHA256

    de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

    SHA512

    bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

    Filesize

    210KB

    MD5

    4f40997b51420653706cb0958086cd2d

    SHA1

    0069b956d17ce7d782a0e054995317f2f621b502

    SHA256

    8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

    SHA512

    e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

    Filesize

    53KB

    MD5

    e3a7a2b65afd8ab8b154fdc7897595c3

    SHA1

    b21eefd6e23231470b5cf0bd0d7363879a2ed228

    SHA256

    e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

    SHA512

    6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9419a3640bc85a8d57ac5ecd0caf2feb\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

    Filesize

    180KB

    MD5

    3bb918532b17f209b7143b833b8fc127

    SHA1

    01edb0209c2d517bcc84052c1f0a03440a7feb49

    SHA256

    9874f27354d5e43f7ccedf5eb33d5792e98c4f7856ef38a8faad1baec0165cd3

    SHA512

    2302aa19957ae2ce2d40a9cf720b90295a84bc66deae938da03442d3807f4aa40cf9c019bfb52a48ef5d0ee7dda2d95dcd36b2a68284b324f2fa162e701fec18

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

    Filesize

    28KB

    MD5

    aefc3f3c8e7499bad4d05284e8abd16c

    SHA1

    7ab718bde7fdb2d878d8725dc843cfeba44a71f7

    SHA256

    4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

    SHA512

    1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\be84308c4c0046659a9c19981cefd1fd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

    Filesize

    83KB

    MD5

    df96fe9001366045f2d4616b56d5aee7

    SHA1

    1209977b1b92204b85984998f31d6ac5c2cf8963

    SHA256

    339d8613600c13496f3b96300741992f46dba21035c2c3364eab5acf68c48bd0

    SHA512

    33b660e59ef8a18fd699b3a9d629922058c0651c377ac29d3923c0d9f27b439863b83de2a00408dafed3c6a4ba85fb46ee8c51eefbf5c8c352695b15c29a4e54

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

    Filesize

    27KB

    MD5

    9c60454398ce4bce7a52cbda4a45d364

    SHA1

    da1e5de264a6f6051b332f8f32fa876d297bf620

    SHA256

    edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

    SHA512

    533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

    Filesize

    57KB

    MD5

    6eaaa1f987d6e1d81badf8665c55a341

    SHA1

    e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

    SHA256

    4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

    SHA512

    dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

    Filesize

    130KB

    MD5

    2735d2ab103beb0f7c1fbd6971838274

    SHA1

    6063646bc072546798bf8bf347425834f2bfad71

    SHA256

    f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

    SHA512

    fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

    Filesize

    143KB

    MD5

    f786ebe6116b55d4dc62a63dfede2ca6

    SHA1

    ab82f3b24229cf9ad31484b3811cdb84d5e916e9

    SHA256

    9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

    SHA512

    80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

    Filesize

    59KB

    MD5

    8c69bbdfbc8cc3fa3fa5edcd79901e94

    SHA1

    b8028f0f557692221d5c0160ec6ce414b2bdf19b

    SHA256

    a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

    SHA512

    825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

    Filesize

    42KB

    MD5

    71d4273e5b77cf01239a5d4f29e064fc

    SHA1

    e8876dea4e4c4c099e27234742016be3c80d8b62

    SHA256

    f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

    SHA512

    41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

  • C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fe14aaba65f41b6628fcfb4b7acf9f2f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

    Filesize

    187KB

    MD5

    b3e7a063bb248a6c4d214c67f766fc74

    SHA1

    a04c5600a8717e39f25189a1fbd4f1bbe0adb82a

    SHA256

    6eede9778c5b846b02246d3e2a45818b1d3a7865d2a15cb64e82540fa8875864

    SHA512

    1606b0a549359c1437ba2d5d7b21ab5777c79e53f40e237cf587db834bbf2740a301c619e5e31f7e0714e93f9860ebbc21cd2ef1c158b10d1058623f6709386f

  • C:\Windows\system32\fxssvc.exe

    Filesize

    1.2MB

    MD5

    3500a6e75b2c79ca4ece46b89ec336f7

    SHA1

    74dd869e8cc85c0b2b9d161027cc6cf7a10fa74a

    SHA256

    9b9994dab1fda32c82a171a98063ce880ad791afa712cb5b6fc3a5e1515ecf17

    SHA512

    391b6affaa3d8bc003e0c3361bc4892bc557ea6fd5398af5fe5bdec24a23c00cfce822fefe05f52d4e98233460a7723e6fd5ca5f8ff602c49b5b9001127c3d40

  • \Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

    Filesize

    1.5MB

    MD5

    273fc7f8d0cac2371ba45848e4b0e92f

    SHA1

    b78c236e2e222738ef89459a53a40c61dd3fa9db

    SHA256

    d80c101f2304bcaed3461ba564c13eaf27206339c658494349c69f341316e5b7

    SHA512

    ad86ffa87d7f3eda679eb496c706f59d74a9cdbc8292706c08f6c4c8ea935b84776f55c319abb2f29486c3c55478b753858566c4e57e44b8e3f13560d589fc9e

  • \Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

    Filesize

    1.5MB

    MD5

    750cad2282e838762841515535ad4148

    SHA1

    f1022d5e31cb1e11c8ffc0ccf5183491a1d0f83a

    SHA256

    3ae580543f5d314e7c0e44d23b19bfb0122c7f5a5ae307a7fb7c3968a0804150

    SHA512

    dc6cc399d0a75841e270c7633d97100a9682514e76b0ef62006a8498c20942adf89e473ce35fcd6de35bc418794d91ef4420e7104c203fa133e68b29e746b908

  • \Windows\System32\alg.exe

    Filesize

    1.5MB

    MD5

    7b7437949359b64786a41216a0d0e31b

    SHA1

    2546580df743a4863239db9d475cafcab1ca1a64

    SHA256

    1697d85046aa70987dad1dd4d7a9567f463e5d51c25439d74eea8da6437c7f97

    SHA512

    950a7fd37733c190b33ba89e9680085083080fef634997d152cbd6263718c9d86513efc1fcb0125bc664777dfd00f6c1e0d54917c844e7d02be0031b5181acbe

  • \Windows\System32\ieetwcollector.exe

    Filesize

    1.5MB

    MD5

    7409d92f6ee259097412656ec28119de

    SHA1

    154c71a52dfe30a4adb53e435fcc0fbcd9421cc8

    SHA256

    7911d200032f65eac8f50239f1b78153c6f148733ca1528571c97926a999e09d

    SHA512

    a2f23624758a95b92467c88614568186e397aab1c0f0f1e86562445c2c1c43a8ee72ac350484ed202dff62c4a00f7af409a3efb80c32ac0fda5fa53ad44ab17b

  • \Windows\ehome\ehrecvr.exe

    Filesize

    1.2MB

    MD5

    86cf6330610cb575a647e58b6eb532ad

    SHA1

    f11157f72c969f3df2e643054e2c83f4764821be

    SHA256

    6b36597208f3165f42aa59ab7b7c1b3cfe37bcf43565f06054442cdcd04b6ade

    SHA512

    ffd84c69c30875b2ea81119ca3ee98f9beac95345395718d68a210cd0d28fb830534c00da857ae80376023a3e6ffafb25e112bd377a2c521e10a4d69103bb287

  • \Windows\ehome\ehsched.exe

    Filesize

    1.6MB

    MD5

    6f84163174432b18798731310ebc3d91

    SHA1

    ae6ae4be120b74e59393b8e55b182d6d79d4be9f

    SHA256

    fe4b02e8b2638d7276d189cc6b38b3f7e4bead3d24fda6f51f7bf42ec786c203

    SHA512

    fd8bae52b152752c5cd5cdeea97ad867471b5e8c599e0aa38696d7621ccfb41a2194c9097764abda23274debab68783a2798e31dad90eede7176d765ba6c55b8

  • memory/736-716-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/820-47-0x0000000010000000-0x0000000010188000-memory.dmp

    Filesize

    1.5MB

  • memory/820-86-0x0000000010000000-0x0000000010188000-memory.dmp

    Filesize

    1.5MB

  • memory/928-478-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/952-703-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1376-161-0x0000000140000000-0x00000001401AB000-memory.dmp

    Filesize

    1.7MB

  • memory/1376-155-0x0000000140000000-0x00000001401AB000-memory.dmp

    Filesize

    1.7MB

  • memory/1480-562-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1488-366-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1488-351-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1544-239-0x0000000140000000-0x000000014018F000-memory.dmp

    Filesize

    1.6MB

  • memory/1544-139-0x0000000140000000-0x000000014018F000-memory.dmp

    Filesize

    1.6MB

  • memory/1544-649-0x0000000140000000-0x000000014018F000-memory.dmp

    Filesize

    1.6MB

  • memory/1572-81-0x0000000000AA0000-0x0000000000B00000-memory.dmp

    Filesize

    384KB

  • memory/1572-80-0x0000000140000000-0x000000014018E000-memory.dmp

    Filesize

    1.6MB

  • memory/1572-184-0x0000000140000000-0x000000014018E000-memory.dmp

    Filesize

    1.6MB

  • memory/1572-74-0x0000000000AA0000-0x0000000000B00000-memory.dmp

    Filesize

    384KB

  • memory/1680-177-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1680-674-0x0000000001F80000-0x0000000001F8A000-memory.dmp

    Filesize

    40KB

  • memory/1680-676-0x0000000001F80000-0x0000000001F9A000-memory.dmp

    Filesize

    104KB

  • memory/1680-685-0x0000000001CF0000-0x0000000001D1A000-memory.dmp

    Filesize

    168KB

  • memory/1680-684-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

    Filesize

    32KB

  • memory/1680-683-0x0000000001CF0000-0x0000000001D14000-memory.dmp

    Filesize

    144KB

  • memory/1680-677-0x0000000001F80000-0x000000000200C000-memory.dmp

    Filesize

    560KB

  • memory/1680-682-0x0000000001F80000-0x0000000002008000-memory.dmp

    Filesize

    544KB

  • memory/1680-678-0x0000000001F80000-0x0000000002024000-memory.dmp

    Filesize

    656KB

  • memory/1680-679-0x0000000001F80000-0x000000000211E000-memory.dmp

    Filesize

    1.6MB

  • memory/1680-57-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1680-680-0x0000000001F80000-0x000000000206C000-memory.dmp

    Filesize

    944KB

  • memory/1680-686-0x0000000001CF0000-0x0000000001D56000-memory.dmp

    Filesize

    408KB

  • memory/1680-58-0x0000000000590000-0x00000000005F7000-memory.dmp

    Filesize

    412KB

  • memory/1680-63-0x0000000000590000-0x00000000005F7000-memory.dmp

    Filesize

    412KB

  • memory/1680-675-0x0000000001F80000-0x0000000001F9E000-memory.dmp

    Filesize

    120KB

  • memory/1680-681-0x0000000001F80000-0x0000000001F90000-memory.dmp

    Filesize

    64KB

  • memory/1696-386-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1740-241-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1740-55-0x0000000010000000-0x0000000010180000-memory.dmp

    Filesize

    1.5MB

  • memory/1740-286-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1740-31-0x0000000010000000-0x0000000010180000-memory.dmp

    Filesize

    1.5MB

  • memory/1740-32-0x0000000000990000-0x00000000009F7000-memory.dmp

    Filesize

    412KB

  • memory/1740-37-0x0000000000990000-0x00000000009F7000-memory.dmp

    Filesize

    412KB

  • memory/1744-603-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1772-479-0x0000000003CE0000-0x0000000003D9A000-memory.dmp

    Filesize

    744KB

  • memory/1772-477-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1772-483-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1776-110-0x0000000140000000-0x0000000140192000-memory.dmp

    Filesize

    1.6MB

  • memory/1776-104-0x0000000000840000-0x00000000008A0000-memory.dmp

    Filesize

    384KB

  • memory/1776-111-0x0000000000840000-0x00000000008A0000-memory.dmp

    Filesize

    384KB

  • memory/1776-194-0x0000000140000000-0x0000000140192000-memory.dmp

    Filesize

    1.6MB

  • memory/1776-641-0x0000000140000000-0x0000000140192000-memory.dmp

    Filesize

    1.6MB

  • memory/1832-618-0x0000000140000000-0x000000014018E000-memory.dmp

    Filesize

    1.6MB

  • memory/1832-633-0x0000000140000000-0x000000014018E000-memory.dmp

    Filesize

    1.6MB

  • memory/1992-278-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/1992-302-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2152-765-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2152-755-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2180-519-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2268-448-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2304-195-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2304-219-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2312-310-0x000000002E000000-0x000000002E196000-memory.dmp

    Filesize

    1.6MB

  • memory/2312-164-0x000000002E000000-0x000000002E196000-memory.dmp

    Filesize

    1.6MB

  • memory/2320-316-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2320-354-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2348-578-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2348-573-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2376-447-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2376-466-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2408-735-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2408-747-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2484-727-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2484-323-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2484-724-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2492-706-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2520-118-0x0000000000890000-0x00000000008F0000-memory.dmp

    Filesize

    384KB

  • memory/2520-210-0x0000000140000000-0x0000000140237000-memory.dmp

    Filesize

    2.2MB

  • memory/2520-127-0x0000000140000000-0x0000000140237000-memory.dmp

    Filesize

    2.2MB

  • memory/2556-602-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2556-607-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2620-378-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2620-540-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2620-358-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2740-145-0x00000000001E0000-0x0000000000240000-memory.dmp

    Filesize

    384KB

  • memory/2740-144-0x0000000140000000-0x000000014018A000-memory.dmp

    Filesize

    1.5MB

  • memory/2740-1-0x00000000001E0000-0x0000000000240000-memory.dmp

    Filesize

    384KB

  • memory/2740-9-0x00000000001E0000-0x0000000000240000-memory.dmp

    Filesize

    384KB

  • memory/2740-91-0x0000000140000000-0x000000014018A000-memory.dmp

    Filesize

    1.5MB

  • memory/2740-0-0x0000000140000000-0x000000014018A000-memory.dmp

    Filesize

    1.5MB

  • memory/2764-14-0x0000000100000000-0x0000000100184000-memory.dmp

    Filesize

    1.5MB

  • memory/2764-15-0x00000000003A0000-0x0000000000400000-memory.dmp

    Filesize

    384KB

  • memory/2764-23-0x00000000003A0000-0x0000000000400000-memory.dmp

    Filesize

    384KB

  • memory/2764-126-0x0000000100000000-0x0000000100184000-memory.dmp

    Filesize

    1.5MB

  • memory/2768-28-0x0000000140000000-0x000000014017D000-memory.dmp

    Filesize

    1.5MB

  • memory/2768-147-0x0000000140000000-0x000000014017D000-memory.dmp

    Filesize

    1.5MB

  • memory/2784-630-0x0000000140000000-0x000000014018E000-memory.dmp

    Filesize

    1.6MB

  • memory/2784-636-0x0000000140000000-0x000000014018E000-memory.dmp

    Filesize

    1.6MB

  • memory/2868-539-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2868-553-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2888-100-0x0000000140000000-0x000000014013C000-memory.dmp

    Filesize

    1.2MB

  • memory/2888-115-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

    Filesize

    64KB

  • memory/2888-116-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

    Filesize

    64KB

  • memory/2888-98-0x0000000000820000-0x0000000000880000-memory.dmp

    Filesize

    384KB

  • memory/2888-652-0x0000000140000000-0x000000014013C000-memory.dmp

    Filesize

    1.2MB

  • memory/2888-92-0x0000000000820000-0x0000000000880000-memory.dmp

    Filesize

    384KB

  • memory/2888-186-0x0000000140000000-0x000000014013C000-memory.dmp

    Filesize

    1.2MB

  • memory/2952-407-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2952-422-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2960-214-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/2960-246-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/3004-500-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

  • memory/3064-417-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB