83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
Size

613KB
MD5

61499478b9349400960eed4f38fe8d81
SHA1

68db254441714cd70cb9f97b7eea2b7ad3ee4d24
SHA256

83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7
SHA512

289384e4a8ff49a17d0e97add2eed7ae859d67ac6d8cb8819c4f4f0b5c49dd3eb6d7069080abe9ff9160a4beb8936b0e2ebf95d0c0a9cccfaea331be92018c2b
SSDEEP

12288:Y5FXC1Hxfob9fzzQEmm9RNQBeAKcdIxIQsW8+AIWH2:Y5FeHxfob9fHQE57GE1XA

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 38 IoCs

pid	Process
900	mscorsvw.exe
464	Process not Found
2040	mscorsvw.exe
1180	mscorsvw.exe
1516	mscorsvw.exe
632	dllhost.exe
1156	elevation_service.exe
1536	mscorsvw.exe
368	mscorsvw.exe
576	Process not Found
1896	DllHost.exe
1148	mscorsvw.exe
968	mscorsvw.exe
1900	mscorsvw.exe
1080	mscorsvw.exe
1552	mscorsvw.exe
268	mscorsvw.exe
884	mscorsvw.exe
1668	mscorsvw.exe
1644	mscorsvw.exe
1548	mscorsvw.exe
756	mscorsvw.exe
328	mscorsvw.exe
1536	mscorsvw.exe
1512	mscorsvw.exe
524	mscorsvw.exe
1064	mscorsvw.exe
1620	mscorsvw.exe
1012	mscorsvw.exe
1984	mscorsvw.exe
328	mscorsvw.exe
884	mscorsvw.exe
1728	mscorsvw.exe
2020	mscorsvw.exe
1080	mscorsvw.exe
1840	mscorsvw.exe
756	mscorsvw.exe
1436	mscorsvw.exe

Loads dropped DLL 27 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1552	mscorsvw.exe
1552	mscorsvw.exe
884	mscorsvw.exe
884	mscorsvw.exe
1644	mscorsvw.exe
1644	mscorsvw.exe
756	mscorsvw.exe
756	mscorsvw.exe
1536	mscorsvw.exe
1536	mscorsvw.exe
524	mscorsvw.exe
524	mscorsvw.exe
1620	mscorsvw.exe
1620	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
884	mscorsvw.exe
884	mscorsvw.exe
2020	mscorsvw.exe
2020	mscorsvw.exe
1840	mscorsvw.exe
1840	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\T:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\Q:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\V:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\Y:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\G:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\J:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\M:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\S:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\Z:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\U:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\F:	mscorsvw.exe
File opened (read-only)	\??\I:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\P:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\R:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\F:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\H:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\K:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\W:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\X:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\E:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\N:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\O:	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\vds.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\msdtc.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\vds.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\dllhost.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ui0detect.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\wbengine.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\msiexec.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\vssvc.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File created	\??\c:\windows\system32\alg.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\windows\system32\snmptrap.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File created	\??\c:\windows\system32\fxssvc.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\system32\locator.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\7-Zip\7zFM.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\7-Zip\7z.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\7-Zip\7zG.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CDA09D62-4330-4176-ACDF-5B7359218FF4}.crmlog	dllhost.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6191.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDD7.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1D61.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CDA09D62-4330-4176-ACDF-5B7359218FF4}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5745.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP390B.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1200	83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeManageVolumePrivilege	1896	DllHost.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe
Token: SeShutdownPrivilege	1516	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1536	1516	mscorsvw.exe	33
PID 1516 wrote to memory of 1536	1516	mscorsvw.exe	33
PID 1516 wrote to memory of 1536	1516	mscorsvw.exe	33
PID 1516 wrote to memory of 368	1516	mscorsvw.exe	34
PID 1516 wrote to memory of 368	1516	mscorsvw.exe	34
PID 1516 wrote to memory of 368	1516	mscorsvw.exe	34
PID 1516 wrote to memory of 1148	1516	mscorsvw.exe	37
PID 1516 wrote to memory of 1148	1516	mscorsvw.exe	37
PID 1516 wrote to memory of 1148	1516	mscorsvw.exe	37
PID 1516 wrote to memory of 968	1516	mscorsvw.exe	38
PID 1516 wrote to memory of 968	1516	mscorsvw.exe	38
PID 1516 wrote to memory of 968	1516	mscorsvw.exe	38
PID 1516 wrote to memory of 1900	1516	mscorsvw.exe	39
PID 1516 wrote to memory of 1900	1516	mscorsvw.exe	39
PID 1516 wrote to memory of 1900	1516	mscorsvw.exe	39
PID 1516 wrote to memory of 1080	1516	mscorsvw.exe	40
PID 1516 wrote to memory of 1080	1516	mscorsvw.exe	40
PID 1516 wrote to memory of 1080	1516	mscorsvw.exe	40
PID 1516 wrote to memory of 1552	1516	mscorsvw.exe	41
PID 1516 wrote to memory of 1552	1516	mscorsvw.exe	41
PID 1516 wrote to memory of 1552	1516	mscorsvw.exe	41
PID 1516 wrote to memory of 268	1516	mscorsvw.exe	42
PID 1516 wrote to memory of 268	1516	mscorsvw.exe	42
PID 1516 wrote to memory of 268	1516	mscorsvw.exe	42
PID 1516 wrote to memory of 884	1516	mscorsvw.exe	43
PID 1516 wrote to memory of 884	1516	mscorsvw.exe	43
PID 1516 wrote to memory of 884	1516	mscorsvw.exe	43
PID 1516 wrote to memory of 1668	1516	mscorsvw.exe	44
PID 1516 wrote to memory of 1668	1516	mscorsvw.exe	44
PID 1516 wrote to memory of 1668	1516	mscorsvw.exe	44
PID 1516 wrote to memory of 1644	1516	mscorsvw.exe	45
PID 1516 wrote to memory of 1644	1516	mscorsvw.exe	45
PID 1516 wrote to memory of 1644	1516	mscorsvw.exe	45
PID 1516 wrote to memory of 1548	1516	mscorsvw.exe	46
PID 1516 wrote to memory of 1548	1516	mscorsvw.exe	46
PID 1516 wrote to memory of 1548	1516	mscorsvw.exe	46
PID 1516 wrote to memory of 756	1516	mscorsvw.exe	47
PID 1516 wrote to memory of 756	1516	mscorsvw.exe	47
PID 1516 wrote to memory of 756	1516	mscorsvw.exe	47
PID 1516 wrote to memory of 328	1516	mscorsvw.exe	48
PID 1516 wrote to memory of 328	1516	mscorsvw.exe	48
PID 1516 wrote to memory of 328	1516	mscorsvw.exe	48
PID 1516 wrote to memory of 1536	1516	mscorsvw.exe	49
PID 1516 wrote to memory of 1536	1516	mscorsvw.exe	49
PID 1516 wrote to memory of 1536	1516	mscorsvw.exe	49
PID 1516 wrote to memory of 1512	1516	mscorsvw.exe	50
PID 1516 wrote to memory of 1512	1516	mscorsvw.exe	50
PID 1516 wrote to memory of 1512	1516	mscorsvw.exe	50
PID 1516 wrote to memory of 524	1516	mscorsvw.exe	51
PID 1516 wrote to memory of 524	1516	mscorsvw.exe	51
PID 1516 wrote to memory of 524	1516	mscorsvw.exe	51
PID 1516 wrote to memory of 1064	1516	mscorsvw.exe	52
PID 1516 wrote to memory of 1064	1516	mscorsvw.exe	52
PID 1516 wrote to memory of 1064	1516	mscorsvw.exe	52
PID 1516 wrote to memory of 1620	1516	mscorsvw.exe	53
PID 1516 wrote to memory of 1620	1516	mscorsvw.exe	53
PID 1516 wrote to memory of 1620	1516	mscorsvw.exe	53
PID 1516 wrote to memory of 1012	1516	mscorsvw.exe	54
PID 1516 wrote to memory of 1012	1516	mscorsvw.exe	54
PID 1516 wrote to memory of 1012	1516	mscorsvw.exe	54
PID 1516 wrote to memory of 1984	1516	mscorsvw.exe	55
PID 1516 wrote to memory of 1984	1516	mscorsvw.exe	55
PID 1516 wrote to memory of 1984	1516	mscorsvw.exe	55
PID 1516 wrote to memory of 328	1516	mscorsvw.exe	56

C:\Users\Admin\AppData\Local\Temp\83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe
"C:\Users\Admin\AppData\Local\Temp\83c5bfda45d9f36fdfc3f4fa6b0ef3c1512f0d613e19508fb29193dd3a25eae7.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:900

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 19c -NGENProcess 198 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 19c -NGENProcess 198 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 200 -NGENProcess 1b4 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 258 -NGENProcess 22c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1b4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 22c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1b4 -NGENProcess 22c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 264 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 22c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 27c -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 278 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 284 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 288 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 280 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 280 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c4 -NGENProcess 2a8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:632

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
636KB

MD5
9363b1835b5a2a54435b3e7289b06068

SHA1
66b27309704be81dc885d6c6601a1b2bfdea16f5

SHA256
2bd26369270cd2acad5bff552dc0a5185d71dee65c5e173c91204d81651ee836

SHA512
0e11dcb228e58766a027ae411e7c7c9656c81be566e008a21bf948df8673b9dfc5ef1efe4ee865e536bd24c81ce4f4d4cbe57f40dc74386dd96b737ea18697be

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
0895a9d839b41c4c1f45c51b964fa81a

SHA1
498d977accbf1f59aa953bed9dfd3993ff1738c4

SHA256
539f3c3dceb949019e4957714fb2899a988317f27562f20bf904e33f8ef6fda3

SHA512
16f4f4ad5291627ac84cbb1bea7af7db9ee8499381f27a828c025b8f07db0fa3b1442b5cf5f3ef4835e56594b6a422db2243d145880f2f20d67fd6ec0c3f5cf2

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.9MB

MD5
57d27befae90b36ade9dd4362b54068a

SHA1
a1d96b87fbed1bddae4f00a38d612684497ff0ea

SHA256
d9bcde59514f120cadb1e88372adfe63b36460534e55185d72f6245850087ea3

SHA512
a569268c361187620b732c64b3f979d47aa3364e79fdc3a630c0c2ebe19f19290fcad43b77942c7e939b550a4e1d67995d8c2ccc5a1bdaba1894083a86f75d70

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
578KB

MD5
838284acb4fcd0de51cb99625504c654

SHA1
3efc83d52b14a71e5f433a33a8b583c207ad4500

SHA256
08b51c390a554cc531060218f9cb0545e6988cec89acdbcbc6b9c75257689542

SHA512
4f8a4473d9604512c6bbfb95382a0e44884cba45c92972ceb3a9ef9f2aa7f189ff092c7c1dd106f82b5939232fe25b321a40dfe3d5d632e9a75014a87cc348c8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
578KB

MD5
838284acb4fcd0de51cb99625504c654

SHA1
3efc83d52b14a71e5f433a33a8b583c207ad4500

SHA256
08b51c390a554cc531060218f9cb0545e6988cec89acdbcbc6b9c75257689542

SHA512
4f8a4473d9604512c6bbfb95382a0e44884cba45c92972ceb3a9ef9f2aa7f189ff092c7c1dd106f82b5939232fe25b321a40dfe3d5d632e9a75014a87cc348c8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
70b298e4de1d52e2ec9606e3f256913f

SHA1
7dd67b4d6b3dcacd8893c088acf5435eb4007ee6

SHA256
99dbdba1d4d234668a71490deb41183ef1696d759b887b75d8bf1e0730f0db12

SHA512
9d218ca0bd5684c3e123f2eb1bede9e47b2237711c777c502249fb2d3a1b4344c7b5616c8d50441602d6e27bebb0eb54eaf5a6f4d9fbb79509c0734f56962bbd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
70b298e4de1d52e2ec9606e3f256913f

SHA1
7dd67b4d6b3dcacd8893c088acf5435eb4007ee6

SHA256
99dbdba1d4d234668a71490deb41183ef1696d759b887b75d8bf1e0730f0db12

SHA512
9d218ca0bd5684c3e123f2eb1bede9e47b2237711c777c502249fb2d3a1b4344c7b5616c8d50441602d6e27bebb0eb54eaf5a6f4d9fbb79509c0734f56962bbd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
a7abf87cd315e43d0a22526c9896be12

SHA1
7fd6f0d98689c237f1314c43e5e796fc21495bf1

SHA256
0987b24eaf950776a03e1d2384c9bd2eca626a13cf0f69f832cfdcd94748dab4

SHA512
b326ce5d547bcdf9a2d84b178f7ffb1029a3d85d64c32104848e7b75262cfda2168a3f7088143fb6c24cbeca2e7fa706ba56e6c7346ff531b7f1fe2deb388f6b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
505KB

MD5
548994c34fab722cde6e64b6b8715f24

SHA1
06b04b39e0faf34bd05185433b2849d604372cb3

SHA256
b2405412c119299b90cce819b2205f5b3b704dd5a684ba682ffbad3ac266a94e

SHA512
24a1152079c35c8fd6af259230baa94fd8ddd1875f3305d2f116587f7e0562a17d4edac7e242e825ea2981454ea079fbae82189c4b0be7c2ba75dfb017d91577

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
505KB

MD5
548994c34fab722cde6e64b6b8715f24

SHA1
06b04b39e0faf34bd05185433b2849d604372cb3

SHA256
b2405412c119299b90cce819b2205f5b3b704dd5a684ba682ffbad3ac266a94e

SHA512
24a1152079c35c8fd6af259230baa94fd8ddd1875f3305d2f116587f7e0562a17d4edac7e242e825ea2981454ea079fbae82189c4b0be7c2ba75dfb017d91577

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
636KB

MD5
8e81580906b5f338080c4aaf6d1d2c4e

SHA1
2f1865e993da08d5b40433f30b94933a2e3825a3

SHA256
3ebe7a882ad30623cfe8bd363e44e747e7c61ebac2651eb7f70aa72451ce4cb2

SHA512
ece0774bc82b1003729267c4cad988ef7a4979f1c59a50d5c58d421fe157e7a47594449e22539dceeda144eefeea846e3cb6480a7b0a4d88264b294ad905ec53

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
0f298fb481134957bf3566eca80a9a41

SHA1
4b8edfefa5a5d52be1c0106ce43143f9b2c13e07

SHA256
a100122d826490605a3314a95dfddcf7449a9e3f166accd2d902250ff92220cc

SHA512
6ea87166084ce3773510ae78dcbe889bb708912e7d8a6b331b231b368096b24a88b1835d50ce04451015ffd49b6aa6288d1149eaa7e145b63820cafef73131c0

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
726KB

MD5
519fde5a29b5cd9abd49110ce70d4ae3

SHA1
7fd114b4d7b53c3538575985edd8f9be295ec7d6

SHA256
8185de5f8a567d185941f36590bad12011609e2df0ec169f7a731f662717a34e

SHA512
efa23dcc8323f808dda8ed525805a748e3a1bd7580099e41ca7eaf78e1b9ee44a805139c72173579cd05eda06447aa41f449324c5194f071f79a25e95a702c43

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.2MB

MD5
bc9b4c7bea3126d0b06eaf23759e5385

SHA1
643e9d86d3c5bbd38c26858e8ba2f6286c291174

SHA256
3ebd789ae3ead78ad6acbcc2418e8d8dc377782dd4e6110de5b4c8f810c68072

SHA512
f1af26017b0875b3a1afba04be343ecd4cceb29db25e6c9703cd9c03ea9fe73242dbee322164fccceb1e627b3deae4317cceb9aae39fbd34325df9d830b8238d

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
620KB

MD5
0873ce0dc62170bc672bc80a9843ed5d

SHA1
a8e1c837b604acd68fa346223e92b16a19a7f9f6

SHA256
233c9e889490e6ecbd3f6755f20d2912aa368f490d473acd5e3132af052dbef7

SHA512
a445c773fd53d0f931852c58ef1b6c1724da53608212456676b6d72910e06126ff038c3a22d5753ccd944d5f45ffd1596a98cfa25fae5fe2b2034451054f170d

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
532KB

MD5
964f08f89cd0bbacd87ecad8f5def452

SHA1
ea9a5d05d39a4f302209c6c9ede2bb12b87989de

SHA256
9f6aaf29af7f7cfa902846da4a21814ebadb37fcb96ce5136af06262b33029aa

SHA512
7eb7eea32981cbbba6801487fc2edb13e290a52c044247b7fd0baecfa5525461d201ef41c5be9db2c4e84f65e1f82fa3c69b4cb9aa09e3c85939c87ef406ff5b

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
a7abf87cd315e43d0a22526c9896be12

SHA1
7fd6f0d98689c237f1314c43e5e796fc21495bf1

SHA256
0987b24eaf950776a03e1d2384c9bd2eca626a13cf0f69f832cfdcd94748dab4

SHA512
b326ce5d547bcdf9a2d84b178f7ffb1029a3d85d64c32104848e7b75262cfda2168a3f7088143fb6c24cbeca2e7fa706ba56e6c7346ff531b7f1fe2deb388f6b

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
573KB

MD5
7da4d65aea3ddf141e6b5e14c7635f5a

SHA1
ce2fcd6927d06ea59986464126d1c9e6478322ac

SHA256
6375b5252d9b80fcaea0d10a2b86dbb0470f2df506e7b063706977db7330633c

SHA512
e12f7bff0c8ef532cf82093b2093e9b93b3245fdf607475b39cab99a8e707d21380b0074f842cb0587501796e6ad6ec5996e1054446bd3e5a14a4c3bb56f749f

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
879399d40c873b610717e96ee43a03dd

SHA1
bf8e778e6398836588088d6b2a32900af2351082

SHA256
8a94259d7e2f629d24fd181ef0a2466bb4c1dbce8c29ceb39bb96f0994cc468a

SHA512
359b19a6d17d091d253354cee497fd96297252b0a8325a01c58ea6cf0dbc8a8f1499b6a57f6926ba4c3b8d504dbfb57899944b771b72352a7a5d7eaafb6687a0

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
605KB

MD5
7507ca925bbbda99d013115df0cfda36

SHA1
ec863979ec89e1a6dd3842ef44f6384eb0596f35

SHA256
46a0f60d542617d628d7b1400c7921512624570e6b8ea7040fce66418493dfa8

SHA512
333684b4b7081561560f76b7621a3c2c332d304093d47f24845409253822a212adb3ca83612fe545c35254415c10f88ba34e6750c34715b968d0e21e26e88b06

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
634KB

MD5
22bf86c83400b6b9492c48386c3a7807

SHA1
ae13267f81f222dc7b131920a9445d4df6d93209

SHA256
cc83e30397ad35a63f8efaf5424e8bafada6f185a8ea957d3187c29d2b947132

SHA512
173f320ed063e887efafb43a19bb4e97f4f64dff14daf9da846507087a69abdd979bedacdb4b1216bfd0199781c6f48a692b712256a150b6d84d13de685d181a

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
621KB

MD5
32891f2d4c49a90397986fb499884135

SHA1
5d7b4bf35521feca3c4c27e5d7cab3a2228e2ddb

SHA256
fc536721c0339f73781a10d300752e9722f5cb9737649a18e519e68992a684c6

SHA512
aeedac9c879567e1a46d186be672d211ddcc23ad781b97a4b97d0270377302e02452c1fbcbae4a81ccd6f31fd820f7d3b30285cbb2f89833a07cbd3041565827

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
510KB

MD5
ddce23d7842c9f37d67d2768638d7c41

SHA1
a6bf46184049f444ce24bd0e652a4db74df2d641

SHA256
f078055c3c25f4b4501f564b3d67eb688434c7f48b05d6d2bdd9218322fe0fca

SHA512
135c519167a9f00b3cfc9d15e8e7a7385bcfdcb2befbc26be145cb0bfa29c73dd066a2a490792dd764a44a462c1f40ca9a34be6fae0dad68bc050b00937ed8b8

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
536KB

MD5
92fb718d67143459f3b1ad4b0e942830

SHA1
c4054a9fd3fd79d70600a332f51a3abef61f8327

SHA256
a10c1126c7e55226cc3cd7c05c07e71d8a006d7b530bb40b1c304a63e321d526

SHA512
fcb5cf5d5bfa81243807fb8c4144308657ccc8ebfc38c9c92409ed8a592c13f93eee747c71070a3b9b0926a99584510eedbe1991cc6ce2e53f66957d657e2737

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1017KB

MD5
ec59c7e3286151a463bd40931a00e8f5

SHA1
97538caf0315c5f2aa18467a932c730f172ed7aa

SHA256
0f9149eb7312cf8db8d4ecd4b8ae5c41e287233916081240fbaff6d2b04bdde9

SHA512
08ee65ce63888c31bf2eb7e40977e1cffca0e6d29ed5d355c84763c5eaa9fcde2bafcbffdec0f5e5bb9c48f942e8dd4896b5c58403017054a26e614e026b71a8

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
70a08759d33880936ef7df108a577376

SHA1
4e96ec38cd8ab4d126a7de39834e23e1dcc047ab

SHA256
d081934c51ff4e5e69cfe8eb01661e76b0f23b618127338515a76b0f5e61bbaa

SHA512
6a5e9c7ab0200488bd75462dfb820b91afcd4f8dfe3aaf2f271516ffd66b4332996190e9dc9c341a49c74df88eb6572c479fbdef90431aa65ed5f07a79506f21

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
694KB

MD5
21b35d583fa57e9645ad162d6f237ea8

SHA1
d7ce640f7637eb16d4ed48229dee5fbd4218831f

SHA256
03f2cc02765eadd4095a63587ab150222eae96024ffda3ff4d69dca616dbfcc4

SHA512
5616997f2f2b98abd2d34c8bcdecf63b230a02bbf08a55fcdb29e9c6f7a457b85194a5d3fb111072a0c4ccfa678075ec19338b2d5249d40a95d67013868075e5

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
ad57afc3ec80914ecd6d64ed6313c326

SHA1
adaa841f7e8928b9e5e94db2e352866a4d640cb5

SHA256
a5a71dbe12d3532499270832016996210808e12ec308f77bf185445001c332f0

SHA512
f80ab36bff4973774d37555ed47f5080c0234395a245ff93a3e59ef71c3eb99b962f0b198f4cb0ac7ab451b4537c77a4112dec1a8b27508d6d8cd499e2552a6a

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.9MB

MD5
57d27befae90b36ade9dd4362b54068a

SHA1
a1d96b87fbed1bddae4f00a38d612684497ff0ea

SHA256
d9bcde59514f120cadb1e88372adfe63b36460534e55185d72f6245850087ea3

SHA512
a569268c361187620b732c64b3f979d47aa3364e79fdc3a630c0c2ebe19f19290fcad43b77942c7e939b550a4e1d67995d8c2ccc5a1bdaba1894083a86f75d70

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
578KB

MD5
838284acb4fcd0de51cb99625504c654

SHA1
3efc83d52b14a71e5f433a33a8b583c207ad4500

SHA256
08b51c390a554cc531060218f9cb0545e6988cec89acdbcbc6b9c75257689542

SHA512
4f8a4473d9604512c6bbfb95382a0e44884cba45c92972ceb3a9ef9f2aa7f189ff092c7c1dd106f82b5939232fe25b321a40dfe3d5d632e9a75014a87cc348c8

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
578KB

MD5
838284acb4fcd0de51cb99625504c654

SHA1
3efc83d52b14a71e5f433a33a8b583c207ad4500

SHA256
08b51c390a554cc531060218f9cb0545e6988cec89acdbcbc6b9c75257689542

SHA512
4f8a4473d9604512c6bbfb95382a0e44884cba45c92972ceb3a9ef9f2aa7f189ff092c7c1dd106f82b5939232fe25b321a40dfe3d5d632e9a75014a87cc348c8

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
ece55fdb3e1cc129d03572ec7ae5f272

SHA1
a3057c108c78b11a8c0e0f47bc8b8fd74ba5d618

SHA256
8f740d34ce427918e436c6265938c13373d6906d4d1465ae2b16d520009edeff

SHA512
dd9a910bd6c707df63e6e17a163b1f890ea29a143511725e4c3afd59436b94b0d3cf495976d7d87c678ee19942b675c4320edea51ff71a43c089a23263e8e2f7

Download Submit
\Windows\System32\dllhost.exe

Filesize
505KB

MD5
548994c34fab722cde6e64b6b8715f24

SHA1
06b04b39e0faf34bd05185433b2849d604372cb3

SHA256
b2405412c119299b90cce819b2205f5b3b704dd5a684ba682ffbad3ac266a94e

SHA512
24a1152079c35c8fd6af259230baa94fd8ddd1875f3305d2f116587f7e0562a17d4edac7e242e825ea2981454ea079fbae82189c4b0be7c2ba75dfb017d91577

Download Submit
\Windows\System32\dllhost.exe

Filesize
505KB

MD5
548994c34fab722cde6e64b6b8715f24

SHA1
06b04b39e0faf34bd05185433b2849d604372cb3

SHA256
b2405412c119299b90cce819b2205f5b3b704dd5a684ba682ffbad3ac266a94e

SHA512
24a1152079c35c8fd6af259230baa94fd8ddd1875f3305d2f116587f7e0562a17d4edac7e242e825ea2981454ea079fbae82189c4b0be7c2ba75dfb017d91577

Download Submit
\Windows\System32\dllhost.exe

Filesize
505KB

MD5
548994c34fab722cde6e64b6b8715f24

SHA1
06b04b39e0faf34bd05185433b2849d604372cb3

SHA256
b2405412c119299b90cce819b2205f5b3b704dd5a684ba682ffbad3ac266a94e

SHA512
24a1152079c35c8fd6af259230baa94fd8ddd1875f3305d2f116587f7e0562a17d4edac7e242e825ea2981454ea079fbae82189c4b0be7c2ba75dfb017d91577

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1D61.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1D61.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2849.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2849.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP390B.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP390B.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDD7.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDD7.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFAA5.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFAA5.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
memory/268-164-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/268-158-0x000007FEF2DF0000-0x000007FEF3813000-memory.dmp

Filesize
10.1MB

Download
memory/268-161-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/268-160-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/268-159-0x000007FEEEBE0000-0x000007FEEFC76000-memory.dmp

Filesize
16.6MB

Download
memory/268-162-0x000000001CAD0000-0x000000001CDCF000-memory.dmp

Filesize
3.0MB

Download
memory/328-204-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/328-200-0x000007FEF2DF0000-0x000007FEF3813000-memory.dmp

Filesize
10.1MB

Download
memory/328-201-0x000007FEEEBE0000-0x000007FEEFC76000-memory.dmp

Filesize
16.6MB

Download
memory/328-234-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/368-95-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/368-94-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/524-216-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/524-219-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/524-217-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/524-215-0x000007FEF2DF0000-0x000007FEF3813000-memory.dmp

Filesize
10.1MB

Download
memory/632-96-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/632-77-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/756-193-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/756-199-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/756-194-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/756-192-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/756-246-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/884-169-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/884-168-0x000000001CAC0000-0x000000001CDBF000-memory.dmp

Filesize
3.0MB

Download
memory/884-173-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/884-236-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/884-166-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/884-167-0x000007FEF2BD0000-0x000007FEF35F3000-memory.dmp

Filesize
10.1MB

Download
memory/900-57-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/900-59-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/968-137-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1012-229-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1064-220-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/1064-222-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1080-144-0x000007FEF2DF0000-0x000007FEF3813000-memory.dmp

Filesize
10.1MB

Download
memory/1080-146-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1080-149-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1080-145-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1148-134-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1156-80-0x0000000140000000-0x000000014034E000-memory.dmp

Filesize
3.3MB

Download
memory/1156-103-0x0000000140000000-0x000000014034E000-memory.dmp

Filesize
3.3MB

Download
memory/1180-67-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1200-75-0x0000000001000000-0x00000000011BE000-memory.dmp

Filesize
1.7MB

Download
memory/1200-55-0x0000000001000000-0x00000000011BE000-memory.dmp

Filesize
1.7MB

Download
memory/1436-251-0x000007FEF2DF0000-0x000007FEF3813000-memory.dmp

Filesize
10.1MB

Download
memory/1512-214-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1512-212-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/1512-211-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1516-93-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1516-70-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1516-76-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1536-206-0x000007FEF3CD0000-0x000007FEF46F3000-memory.dmp

Filesize
10.1MB

Download
memory/1536-92-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1536-86-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1536-205-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1536-84-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1536-210-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-187-0x000007FEF2DF0000-0x000007FEF3813000-memory.dmp

Filesize
10.1MB

Download
memory/1548-188-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-191-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-151-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-155-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-150-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/1620-227-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1620-223-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1620-224-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1620-225-0x000007FEF2DF0000-0x000007FEF3813000-memory.dmp

Filesize
10.1MB

Download
memory/1644-186-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1644-181-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/1644-180-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1668-176-0x000007FEF2DF0000-0x000007FEF3813000-memory.dmp

Filesize
10.1MB

Download
memory/1668-179-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1728-238-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1896-128-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1896-113-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1896-126-0x0000000004350000-0x0000000004358000-memory.dmp

Filesize
32KB

Download
memory/1896-120-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/1896-114-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1900-139-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1900-140-0x000007FEF3600000-0x000007FEF4023000-memory.dmp

Filesize
10.1MB

Download
memory/1900-138-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1900-142-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1984-230-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1984-232-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2020-239-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2040-64-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2040-65-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download