0c70a985493b30edda772a39d108743e11b52569bccbb8e5b48a271765fb998d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.e.msi
Size

42.1MB
MD5

c6482889fe38ab6fac54f0b220ac5407
SHA1

0a69fbde5b864d04ac9c28e2361b2d2e684c8f38
SHA256

0c70a985493b30edda772a39d108743e11b52569bccbb8e5b48a271765fb998d
SHA512

7e952a053c54cfd5dcc3854459ac53ccbf56880e4978030f32f55d433f545002683fc1a43a0e0d919f1b8608e84da72c7c1fa0b575171c91ca1d75048bee8934
SSDEEP

786432:Ik4FDMyBJdSbNA0Dmrv+XkyxQ+wFyz1thYPATnoYELCw:VkncYTRGyPqoLCw

Score

7^/10

collection discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

DiffDog.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	DiffDog.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

DiffDog.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DiffDog.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DiffDog.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DiffDog.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DiffDog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DiffDog.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Advanced Sync Manager = "C:\\Users\\Admin\\AppData\\Local\\Programs\\MotiveWave Proffesional\\DiffDog.exe"	DiffDog.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow	pid	Process
5	1716	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{494D20A3-04AB-4FD6-8901-F174670D563F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBC9.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d92c.msi	msiexec.exe
File created	C:\Windows\Installer\e57d92a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d92a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

DiffDog.exe

pid	Process
3136	DiffDog.exe

Loads dropped DLL 12 IoCs

Processes:

DiffDog.exe

pid	Process
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c05-75.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
1716	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DiffDog.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiffDog.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DiffDog.exe

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DiffDog.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	DiffDog.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	DiffDog.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	DiffDog.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DiffDog.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	DiffDog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	DiffDog.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 20 IoCs

Processes:

DiffDog.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	DiffDog.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	DiffDog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	DiffDog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	DiffDog.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	DiffDog.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	DiffDog.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	DiffDog.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	DiffDog.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	DiffDog.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	DiffDog.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	DiffDog.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	DiffDog.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	DiffDog.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	DiffDog.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	DiffDog.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	DiffDog.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	DiffDog.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	DiffDog.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	DiffDog.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	DiffDog.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msiexec.exemsedge.exemsedge.exeidentity_helper.exeDiffDog.exemsedge.exe

pid	Process
3168	msiexec.exe
3168	msiexec.exe
1524	msedge.exe
1524	msedge.exe
2652	msedge.exe
2652	msedge.exe
1384	identity_helper.exe
1384	identity_helper.exe
3136	DiffDog.exe
3136	DiffDog.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	Process
Token: SeShutdownPrivilege	1716	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1716	msiexec.exe
Token: SeSecurityPrivilege	3168	msiexec.exe
Token: SeCreateTokenPrivilege	1716	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1716	msiexec.exe
Token: SeLockMemoryPrivilege	1716	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1716	msiexec.exe
Token: SeMachineAccountPrivilege	1716	msiexec.exe
Token: SeTcbPrivilege	1716	msiexec.exe
Token: SeSecurityPrivilege	1716	msiexec.exe
Token: SeTakeOwnershipPrivilege	1716	msiexec.exe
Token: SeLoadDriverPrivilege	1716	msiexec.exe
Token: SeSystemProfilePrivilege	1716	msiexec.exe
Token: SeSystemtimePrivilege	1716	msiexec.exe
Token: SeProfSingleProcessPrivilege	1716	msiexec.exe
Token: SeIncBasePriorityPrivilege	1716	msiexec.exe
Token: SeCreatePagefilePrivilege	1716	msiexec.exe
Token: SeCreatePermanentPrivilege	1716	msiexec.exe
Token: SeBackupPrivilege	1716	msiexec.exe
Token: SeRestorePrivilege	1716	msiexec.exe
Token: SeShutdownPrivilege	1716	msiexec.exe
Token: SeDebugPrivilege	1716	msiexec.exe
Token: SeAuditPrivilege	1716	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1716	msiexec.exe
Token: SeChangeNotifyPrivilege	1716	msiexec.exe
Token: SeRemoteShutdownPrivilege	1716	msiexec.exe
Token: SeUndockPrivilege	1716	msiexec.exe
Token: SeSyncAgentPrivilege	1716	msiexec.exe
Token: SeEnableDelegationPrivilege	1716	msiexec.exe
Token: SeManageVolumePrivilege	1716	msiexec.exe
Token: SeImpersonatePrivilege	1716	msiexec.exe
Token: SeCreateGlobalPrivilege	1716	msiexec.exe
Token: SeBackupPrivilege	4236	vssvc.exe
Token: SeRestorePrivilege	4236	vssvc.exe
Token: SeAuditPrivilege	4236	vssvc.exe
Token: SeBackupPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeBackupPrivilege	3564	srtasks.exe
Token: SeRestorePrivilege	3564	srtasks.exe
Token: SeSecurityPrivilege	3564	srtasks.exe
Token: SeTakeOwnershipPrivilege	3564	srtasks.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe
Token: SeTakeOwnershipPrivilege	3168	msiexec.exe
Token: SeRestorePrivilege	3168	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

msiexec.exemsedge.exeDiffDog.exe

pid	Process
1716	msiexec.exe
1716	msiexec.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
3136	DiffDog.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

DiffDog.exe

pid	Process
3136	DiffDog.exe
3136	DiffDog.exe
3136	DiffDog.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeDiffDog.exemsedge.exe

description	pid	Process	procid_target
PID 3168 wrote to memory of 3564	3168	msiexec.exe	94
PID 3168 wrote to memory of 3564	3168	msiexec.exe	94
PID 3168 wrote to memory of 3136	3168	msiexec.exe	96
PID 3168 wrote to memory of 3136	3168	msiexec.exe	96
PID 3168 wrote to memory of 3136	3168	msiexec.exe	96
PID 3136 wrote to memory of 2652	3136	DiffDog.exe	97
PID 3136 wrote to memory of 2652	3136	DiffDog.exe	97
PID 2652 wrote to memory of 3272	2652	msedge.exe	98
PID 2652 wrote to memory of 3272	2652	msedge.exe	98
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 5020	2652	msedge.exe	99
PID 2652 wrote to memory of 1524	2652	msedge.exe	100
PID 2652 wrote to memory of 1524	2652	msedge.exe	100
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101
PID 2652 wrote to memory of 2424	2652	msedge.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

DiffDog.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DiffDog.exe

outlook_win_path 1 IoCs

Processes:

DiffDog.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DiffDog.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.e.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe
  "C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\DiffDog.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://link.altova.com/orderfromsw.asp?u=&c=&e=&k=&pik=n&p=DD&ed=P&mj=27&mn=0&bd=Oct%20%201%202024&s=&lang=English&bit=32&os=Windows%202%2010%200%2019041%20&dns=Gyhasols&udn=Admin&guid=337c098e-c028-4612-8477-8035b3c47ddc&gsrc=r05
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb08fd46f8,0x7ffb08fd4708,0x7ffb08fd4718
      4⤵
      PID:3272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
      4⤵
      PID:2424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:3604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      PID:1064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 /prefetch:8
      4⤵
      PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:1900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
      4⤵
      PID:5360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
      4⤵
      PID:5368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,18180251855384300228,17864114688627248923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d92b.rbs

Filesize
13KB

MD5
8523541226f95133f193b5051d62e2f9

SHA1
9378fc00e114d6ca26dd8a9a6c57b6466d660374

SHA256
1314aa4db90c4d7c7708d2363cf0c821d094239a43c8bd5e26ae756e1c13e336

SHA512
4c4146282b5fa7215479f55617fbb704ce691befaa50ca4e04563a044f63e053364ce5252cd2a608a3f8bdabddd71a877b4b1b8f458293ff294fd057de25165e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
ff44ed45e2b98df51cf0d9d635487048

SHA1
5632aad16559fdb34ce94188d2e23506168d51b9

SHA256
a43646eae42c17773f582850ec4d8baf449d55c3a403e7702b0225bf543007f6

SHA512
c6f0c21abc459fde3855543053801c8f0c40c998a814590329c6168001dc9601592c7c6660147e4e4cdbe2cd3980007ae3cbc36f2a4834fc96caa3401c8d1159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
9450edd91f9ca5c12c04e4a60db36b85

SHA1
01863c1bab3dbf9b29019b512af3cddacee85fd8

SHA256
0b9006e4feea34ef36f372f36ae9865edef6e0bf714c696ac061e38e04bdbbf3

SHA512
d182f4b84a67291b294c0783a7b7fa537c2ee556e7ecb42b2076afcb120647953a416cff0d590e4746f5d10dc71ac12532de5f5ace735ac872bfbd9017440c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
422B

MD5
1d2ef0635298cc485d0682ce23ea51cd

SHA1
bdbb004bc8ecac904fcf9972485e2253d12cc7d7

SHA256
20a33225f8b88cced79ba946fe8896ba3417efb50bfa92dd4f50809f8ac2a4c6

SHA512
c751e9907eba790bbf73901f16a16b91bce73e7cffdb3dcfbeb3ad7933f970c95a22601ec298a70ee4b68575168d9c644d240289eeaef7475828388d24244405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73edd1efc3fb961895ea2d35607aeae2

SHA1
7b034ec01f8d18e02f66f92a75c2a20ee7119f23

SHA256
57f4fa22f5ef82cd457d44db44025ea158dc77fd1b7223661042372bc4db8266

SHA512
1aa42d84971d5ca7e09f3a5c76f42c42fe48c2fb46ee82f0741c2bd8c0b3418afcaa3762ee58ae73d1405dd56836eaeaab3d65ad674867b613a7c78cb75db8ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
762588b81c5da8c4826a7d40e8638e21

SHA1
57db8cdc79d4bdc5dc4cc2510e3d061336da26d9

SHA256
431d6c9232afb7ea1b9b88ce6a47f1c0926101054f575379f2802055338e65cf

SHA512
16076538da58f04301032b00698c8e66ff68a6ef424d6474b627e15884dcc39c51fe8e689b3edc500ddbf37f9a6b030940b352b947255983f7ddb18f3eb1186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc851c4470d85a99feecb4aa5e3b0a5a

SHA1
34a28881f9ebc90993da4b07dccb21bc7eb54199

SHA256
32396e7888e3f92f32454017252e9c3bfa0f37b843f6bb8cc5483f36a9d58320

SHA512
723ac38908a9539b14052da6203bf72e8669a1a4d40f4fbe604175092cdf13b1b254ec7f37c7bce3b82f180fdb76a05399bd5f24d06172e6382d36219ff982bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3c3a073d1a4bd009d27712be7d37ca59

SHA1
7e068de706e1297a702791113ebf8c9db399a963

SHA256
0ef0b2dfb5f5f04eabb8d638a1cbfbcf4ec985523b5c17221d324606e63aca7a

SHA512
ebbcb0fe516cbb72bf6188e287815b866e90270a6227d284485245c8d315384c80f832107d731f2952316e569847dee75521ca4055ea30b5d94705a26300ea16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1bbf29058aa52becea664ce6339f0ed8

SHA1
0df39b1ba8b1076cd384cb0902278517678c9696

SHA256
1c71987d34a5de2c859ba1edac64b7b80f571bd28bc48c9266e252841d9af894

SHA512
8b760886120e1736891210473111dd683af793ccd5d4e92e5ba56736c114e3377776465661a4f60cae854c857b88246b40b33ea495fc6dd201a1f2beecdc055e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9c436b7a6a364088a415fc0e3892191c

SHA1
a156bc6acb9851a980fd22468e530305e1f4a938

SHA256
bf2541c0e67bee660ab8deb87de37eadcd37e4add3e02a2fe0fc4ffd933c2d62

SHA512
a481e01ec3a0de90a2b59153841b4774a67eb42b3aa9475d6847d520d1436e2897f60a1895deb763bd5fc188c9dd3511e1eeaf098c944d04841ce33f349e81f7

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\Assets\DiffDog.png

Filesize
6KB

MD5
ea257a08f4311b77d02f0dba3f1734cc

SHA1
d4d7a73a562d3fa9986c47eed0e172cd7d583fa4

SHA256
20ab1c341364d83285c82de62408796667cba9be7ae65c915d4e1e12ef7ad97b

SHA512
e69edd5004252e0b9f42510bc428573e2f249cde3622784b14f0ae1830fac7ed44457726f4c411d2ac4f9def0dffd85fec6eaad55041e0b4f86e4738412c5ff4

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\CES_PlugInHost.dll

Filesize
775KB

MD5
49ce1f597a415370d85c1bf7aa9c8c56

SHA1
5f98f65879d3701d9e1bdb5f68b02f59f5020f55

SHA256
6caf24c107b6d10504e73dec841c4169d5f5a4d366b699402c8d2a51e877032e

SHA512
1b730e43311808105f39273a5a940bbeccddd22058f3046be5771f9ac51b5a2e372774026ee79bf38261bd6026cf9b4eb0260075ebde932c5687720c80bdba6a

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\Catalog.xsd

Filesize
7KB

MD5
6c0b3d979d22421930c9b239eb07e475

SHA1
915ab07affbc8bc6c49fbc9130a9365d03d18e84

SHA256
a45d1cbfa731390fc62804d2d2c22c31ae9f1b8f77eb93ecb47900f4f1c481b5

SHA512
2ac395450f9c6d1bd72bb677681558fbadd0f41ed1cb9a49f400c333c270842544fbaab2de2c6a4e525d3e51d01d227a0f0bd22609903eebd89db865f944f188

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\CoreCatalog.xml

Filesize
613B

MD5
82c475e52e98d51397ab41136b92da61

SHA1
6be18bd43ea1423930fb26b70b3c5685674abc20

SHA256
57dcd5ce9c45e8df9944f39d1b3f2884264981ffcff9d07886c02879e770c7aa

SHA512
14e74c40f8f3d08a1182393b273cfe448c038a31a6ca6f52d27a9f8be3f825411630a860f999098637732212431df436c054d2b6169b5cfbccda72bd76e196a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\HelpTopicIds.json

Filesize
2KB

MD5
263b83458ef7864bf99a9b61ded01945

SHA1
c9b419f7d8601eaf496e016529678e48e1ecc67c

SHA256
dfbc57396b4ed8c1a629f5116ce715b05d91e3f3b97d166e953143d1427c36a2

SHA512
06ddce927683b3afed8b60b9f268cbfe440f5c733ea364e7c07788e096913edc7d15d87cb71d72f608fe14f01f3535d5d6e64869d2e9508966ca032318c59331

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\PostSharp.Patterns.Model.dll

Filesize
861KB

MD5
88e91cfdfa4b6d3741c31b9fcb96dfb4

SHA1
8ac1059b04f32675fdf9f6d8a055c293c042c4e5

SHA256
2f70fc194fcd522a1309456f36c45b2c7127d4691f5c8e1e1703c108bf53622d

SHA512
e8b1dd5dd0781a2bcf4f39bc8abecd4001019ccc4e4e029bd41264a528b0c4bf3efa6e2ce49189d10135b6ace423d9a1bf4ad4937a6d0a31e5ca435970df3864

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\RootCatalog.xml

Filesize
745B

MD5
1d3b96d9ddce700679ac048ee1ceb71b

SHA1
094dd8ce7b65be13000ef082f18e778686461f2c

SHA256
3a90d85f1de54984173fc282a061ac270126b6ce1ad0fdd407d6463dc526de39

SHA512
bb94713a577b19d3730c76bd15b61fad7f3310c3a0b1de1e67131d33da57d11cdff670c49cea07824bef2eb9739ef56005dde01eab994692ab1694fd1c820835

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\Support.sav

Filesize
5.5MB

MD5
bd54d1044338266e31cfb70ad6317cb1

SHA1
e4c6d3b1c06adcb2c269058e4e382bf186226824

SHA256
5126d44de7597bf37c7c9d0da3740df44ffc00d20f7462ebe5ad53112a52596a

SHA512
0f4fbf6b0d61fb62fc15e20e294ad1047db04130a45ec7018eee0e05e8d2de432a7f11859e68334428ae9cb96448001bdbac032abd384eb6f227c8c9199a59c3

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\asset.wav

Filesize
3.1MB

MD5
bcfaf0b488d6f9202e19da2af421295c

SHA1
31cb4e8451da080447ad24f020642d234cfd9c3f

SHA256
1ebc3e97d024b35fbd06d88ca73111c40c18a0f7f538e301c1c59d0cf5e76c73

SHA512
55e585799c29dfa5dd77285ad09cc52d9c99e6d2324fcb76fa0f0d80db7a0afb7abaea0d1548625feb8e2e6775271a4d5a903eca85d334c72b4b4e4cefe8f76f

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\diffdog.inst

Filesize
3B

MD5
8f90d1880964b7959e49e2e8709be70b

SHA1
49fcd181196fb550373e83d498cafb2eaee026cc

SHA256
5df748fd8e021b176386cef8fc4920967ea2c9ab7ca615b013744c9a6614546c

SHA512
3a3d2db35c27b6daa877e28b9d920d8b2cfcec0db30a5c897d2f1322540bd855fdd1c9662f119a9468f372f03a6e8334680a8ccdc704bcc93f30d58907913228

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\file_dirdif.ico

Filesize
18KB

MD5
9323bc80f5a18a056bcbd10831d91820

SHA1
2ef7269b341d18e80247f81c81daa0d740e31fce

SHA256
34f7c8571ec1618ef30a9c9b0e82779c02ac8033301120ee321df92685d8a26a

SHA512
e3b1da91310a0cdf1e99d41d415cc41d4546f8bfbc6f6ff9477cf780de18a90f988dc0f6f2e36dfb15e521032209aca65e09a40ca0345c8eb149bb7e722818d9

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\file_filedif.ico

Filesize
18KB

MD5
bc7f04b672921472ef873a8ba8b43d17

SHA1
f649dc3fa6e10551c70b56b77284242b7cb9a243

SHA256
5993ff64f1be29483e7dac836c052f7966639c9e1be674576d1526f09b21be1b

SHA512
9e49ece04919105affcbedaed1ce184e9610c82620b6d8cdd6a21ff6bbd383f068de31e673c7cbd4de44630cf438a621dd4883d340c77b1c32b900b2b8e06509

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\icudt58.dll

Filesize
25.0MB

MD5
169a463a9455f425db2fa780a4d0d09d

SHA1
20f595e9211407eab1307295e950ce8fc8d0cc47

SHA256
5f4863fb6528c22bac7eac7d61f28d77c1c373d0a63a9654eb98df6855e874d1

SHA512
90917354940a9275089dccc9c129eb4b29684181894c43dd445f10922e6e5251c69bc980f1d079c2b6659e74aaa64e758ed5308c5f5dba8c56f406834ced71d1

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\icuin58.dll

Filesize
1.8MB

MD5
ef34c5e58e3e617b9529f498aaadc535

SHA1
4fc1ce77a5ec9d3138a143049d8532c8d54138d0

SHA256
da9e7bb382f40dd0f513d3f2cbb876ac4768853d60509886c0fe262911194952

SHA512
68e3d03d2e602173f257a62243419a593e0b58917cd33d725befbfdcfe7c0db886479845b3b4fec1cbd9395ae79a30a68a0ca38b3785a71933187e62beb78934

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\icuuc58.dll

Filesize
1.2MB

MD5
25d1d25e5fa624f6719d84d298b623f4

SHA1
cd1a0f149ad047349bde137b05f27143e1961700

SHA256
c6c89d777220a3d62fb0f32da2818fed0c8bce5a5ac19bc69cab2feeaceaf96e

SHA512
9258bc211149269627652a4925b0771b80aef070c851f682d24ae00aa6d0609056b940b3815584cab8ad723d4a732f9437bd8b57f354c639398def6e364512f6

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\jhelp1.1.dll

Filesize
18.1MB

MD5
3d8cf3c555349da1e690b115532c2388

SHA1
0892a7c9ac32e918cf228d3272bad000828b792f

SHA256
4ec2b0e2ac29fddfcf205ce31aacdf7ed26afb405bb282db69a04024cc81276f

SHA512
4a170d9e938e20680e9029c9612b55d5b1df1d6875178a8246117f0d3dc89433aaf53eee5a17899581ca6e86e64e70df2975949bdc350b3c5b90c4c01c9e2d12

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\libpng16.dll

Filesize
240KB

MD5
9112f8724f0036bc9354f1ae25856344

SHA1
cad008d2d84ac173201105db27a9df29b66a5dea

SHA256
053a61026fc585261a0c6c66d8c9ada80416aa812261fa7d591937c6737d26d9

SHA512
021e70f07225deeb28b632a5c688709548876131fa7ff58311c72489b5621a514a44707e27ca16e4ed283abebfe18653653499a345d811a0ccc355205ecdf3dd

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\mfc140u.dll

Filesize
4.6MB

MD5
ec9829b23c2e5a7029ac2f9f81924efa

SHA1
9b7400ee4282e4655c0cd5f54c41d3ae14095434

SHA256
28eb2e4de14c90b303e13eaff2e65a4d57e4f5e220bd34ceb858d745a02bdf94

SHA512
7b2831ca2cde03f3f12240ae5f18386bbc1d6da2b66a550515800e8a1947bc64f077eaf498e63cc3e1caf39986cfeeb886f43562c0d451d8c54c196f4af58662

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\msvcp140.dll

Filesize
436KB

MD5
c766ca0482dfe588576074b9ed467e38

SHA1
5ac975ccce81399218ab0dd27a3effc5b702005e

SHA256
85aa8c8ab4cbf1ff9ae5c7bde1bf6da2e18a570e36e2d870b88536b8658c5ba8

SHA512
ee36bc949d627b06f11725117d568f9cf1a4d345a939d9b4c46040e96c84159fa741637ef3d73ed2d01df988de59a573c3574308731402eb52bae2329d7bddac

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\sqlite3.dll

Filesize
1.2MB

MD5
aec1ab9cc272e184c7e896e169786b64

SHA1
32e85dabecc470b6995efaf83f8bf1d7e78b4916

SHA256
5c5e4128afe870f4b830afa30be42b4abd8c4bd8229a9bacf6b24a4081f9b313

SHA512
e059c621a44aac97446f41abb8b6f61d2c12d352f3f87451511a0f87e587bf1c1ebe0a56b074e36bdbae5a7df94eab102c5c0c8bed37fbaee715181c237840cf

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\templates\report.html.template

Filesize
4KB

MD5
680083d8087569cc23b481d527c764c5

SHA1
5a4bc210ebefef5494dbb5a97dcbc66a5988c464

SHA256
894c1a18b17e9fb76684147f58785aafe39089e333ed766267e9f6a3d3ac8b7f

SHA512
191ba759f26a02d8a2a80cc868148cc010042e5ef127fb05a7c24f6c538a80dd141e5d096fd8ab25afd76112d70edd9670a042ccf46c430329eaf7ca530b2241

Download Submit
C:\Users\Admin\AppData\Local\Programs\MotiveWave Proffesional\vcruntime140.dll

Filesize
88KB

MD5
9c133b18fa9ed96e1aeb2da66e4a4f2b

SHA1
238d34dbd80501b580587e330d4405505d5e80f2

SHA256
c7d9dfddbe68cf7c6f0b595690e31a26df4780f465d2b90b5f400f2d8d788512

SHA512
d2d588f9940e7e623022adebebdc5af68421a8c1024177189d11df45481d7bfed16400958e67454c84ba97f0020da559a8dae2ec41950dc07e629b0fd4752e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefeppu

Filesize
40KB

MD5
ab893875d697a3145af5eed5309bee26

SHA1
c90116149196cbf74ffb453ecb3b12945372ebfa

SHA256
02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

SHA512
6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

Download Submit
C:\Windows\Installer\e57d92a.msi

Filesize
42.1MB

MD5
c6482889fe38ab6fac54f0b220ac5407

SHA1
0a69fbde5b864d04ac9c28e2361b2d2e684c8f38

SHA256
0c70a985493b30edda772a39d108743e11b52569bccbb8e5b48a271765fb998d

SHA512
7e952a053c54cfd5dcc3854459ac53ccbf56880e4978030f32f55d433f545002683fc1a43a0e0d919f1b8608e84da72c7c1fa0b575171c91ca1d75048bee8934

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
86b90e4573aaa77d513ce44f62ae8e52

SHA1
bbae6324c397519719ffe9c69d00961d7fbccb65

SHA256
e382eafe933ef88ccdccc7a16856fbf20e497b943cd32c252d3fb222bd31d484

SHA512
bc40b52aa9ec5641a201aa52e3c30abd05d1258955f868334ae23ddc16b9cd34acc801bd951b202631b152e5baa7f664853db101c465b5613295376a1d7a67c5

Download Submit
\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{65f51026-23f5-4e1e-a718-5706f24a46cf}_OnDiskSnapshotProp

Filesize
6KB

MD5
0435820eedaa0ad819efa0744dab8605

SHA1
8cb695e463000218d8cd32c7eed6caa76b7fd2af

SHA256
6c1ccc44c15d97f90398ab4cb6365e0df563dd1e03851017c8588fe1713aad3b

SHA512
f63661ef82f4d3a3a11bf241efc847877f73571b38350dbc4202a6bf55beec82910da77c161d67f024d29b0ba79a2dd6cd6a7b5bc67a561dea916c9477c2eebe

Download Submit
\??\pipe\LOCAL\crashpad_2652_AGBXZLCMFKRJYWTU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3136-236-0x000000000ECE0000-0x000000000EE39000-memory.dmp

Filesize
1.3MB

Download
memory/3136-270-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-240-0x000000000ECE0000-0x000000000EE39000-memory.dmp

Filesize
1.3MB

Download
memory/3136-245-0x000000000ECE0000-0x000000000EE39000-memory.dmp

Filesize
1.3MB

Download
memory/3136-246-0x0000000015C00000-0x0000000016193000-memory.dmp

Filesize
5.6MB

Download
memory/3136-248-0x0000000012DF0000-0x0000000012E8D000-memory.dmp

Filesize
628KB

Download
memory/3136-247-0x0000000063280000-0x00000000634BE000-memory.dmp

Filesize
2.2MB

Download
memory/3136-249-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-250-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-254-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-255-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-256-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-259-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-260-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-261-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-264-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-263-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-266-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-265-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-267-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-268-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-241-0x000000000ECE0000-0x000000000EE39000-memory.dmp

Filesize
1.3MB

Download
memory/3136-271-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-276-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-280-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-281-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-282-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-283-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-285-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-286-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-288-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-289-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-290-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-291-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-292-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-293-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-294-0x0000000014330000-0x00000000148B7000-memory.dmp

Filesize
5.5MB

Download
memory/3136-107-0x000000000ECE0000-0x000000000EE39000-memory.dmp

Filesize
1.3MB

Download
memory/3136-109-0x000000000ECE0000-0x000000000EE39000-memory.dmp

Filesize
1.3MB

Download
memory/3136-94-0x000000000ECE0000-0x000000000EE39000-memory.dmp

Filesize
1.3MB

Download
memory/3136-91-0x000000006CB30000-0x000000006CB40000-memory.dmp

Filesize
64KB

Download
memory/3136-90-0x0000000071400000-0x00000000714C6000-memory.dmp

Filesize
792KB

Download
memory/3136-393-0x0000000071400000-0x00000000714C6000-memory.dmp

Filesize
792KB

Download