054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
Size

582KB
MD5

5b3b7b450ada6b37d07135727867c250
SHA1

5672ec0cd389e34b33f290b2a358915e5dfacb6f
SHA256

054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce
SHA512

716700a4d5955869222ef3c84f6f18ef386a436a3d71917c7c5dfc6a0b7eb3e01bf5e2200ecd7882f49f941c2dcb1e5c77aa86703deac723f69349dcd9b1e25b
SSDEEP

12288:lMx2jaMJ3OFs3CxYD5O6b2a0QnqC+TVSgQwlvfzWyRdCvsE0:/xOWy3fHTVDq

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 29 IoCs

pid	Process
1156	mscorsvw.exe
460	Process not Found
956	mscorsvw.exe
1984	mscorsvw.exe
1496	mscorsvw.exe
824	dllhost.exe
276	mscorsvw.exe
1548	mscorsvw.exe
520	mscorsvw.exe
1600	mscorsvw.exe
944	mscorsvw.exe
788	mscorsvw.exe
568	mscorsvw.exe
1516	mscorsvw.exe
1160	mscorsvw.exe
1716	mscorsvw.exe
1204	mscorsvw.exe
1064	mscorsvw.exe
1528	mscorsvw.exe
1572	mscorsvw.exe
1184	mscorsvw.exe
748	mscorsvw.exe
1704	mscorsvw.exe
772	mscorsvw.exe
1988	mscorsvw.exe
888	mscorsvw.exe
1576	mscorsvw.exe
876	mscorsvw.exe
1792	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\F:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\system32\bkoolokl.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\system32\gicmlhpj.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\system32\ikqqkimd.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\cinpgifd.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\SysWOW64\nijoapdb.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\system32\ccochacp.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\system32\bqphjmnh.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ejjpdaia.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\ihbnqbbj.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\vds.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\system32\ijjogjao.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\system32\lcfldpkh.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\system32\ieifnemc.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\lmabmeen.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	mscorsvw.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\hbjbcbij.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\program files (x86)\microsoft office\office14\pnqeggkd.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\pcmobaag.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	mscorsvw.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\ekhbehdc.tmp	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\cknkncmd.tmp	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\ehome\eaneeilk.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\opfhadck.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mfajaefd.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\anafjdbe.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E04990D1-4708-4BCB-8E08-EBCF8D2FB121}.crmlog	dllhost.exe
File created	\??\c:\windows\ehome\djjiokhk.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E04990D1-4708-4BCB-8E08-EBCF8D2FB121}.crmlog	dllhost.exe
File created	\??\c:\windows\servicing\dfdngili.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\pnkffkao.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\kikepapb.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\ehdpnoeb.tmp	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	mscorsvw.exe
1984	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1424	054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 276	1984	mscorsvw.exe	31
PID 1984 wrote to memory of 276	1984	mscorsvw.exe	31
PID 1984 wrote to memory of 276	1984	mscorsvw.exe	31
PID 1984 wrote to memory of 276	1984	mscorsvw.exe	31
PID 1984 wrote to memory of 1548	1984	mscorsvw.exe	32
PID 1984 wrote to memory of 1548	1984	mscorsvw.exe	32
PID 1984 wrote to memory of 1548	1984	mscorsvw.exe	32
PID 1984 wrote to memory of 1548	1984	mscorsvw.exe	32
PID 1984 wrote to memory of 520	1984	mscorsvw.exe	33
PID 1984 wrote to memory of 520	1984	mscorsvw.exe	33
PID 1984 wrote to memory of 520	1984	mscorsvw.exe	33
PID 1984 wrote to memory of 520	1984	mscorsvw.exe	33
PID 1984 wrote to memory of 1600	1984	mscorsvw.exe	34
PID 1984 wrote to memory of 1600	1984	mscorsvw.exe	34
PID 1984 wrote to memory of 1600	1984	mscorsvw.exe	34
PID 1984 wrote to memory of 1600	1984	mscorsvw.exe	34
PID 1984 wrote to memory of 944	1984	mscorsvw.exe	35
PID 1984 wrote to memory of 944	1984	mscorsvw.exe	35
PID 1984 wrote to memory of 944	1984	mscorsvw.exe	35
PID 1984 wrote to memory of 944	1984	mscorsvw.exe	35
PID 1984 wrote to memory of 788	1984	mscorsvw.exe	36
PID 1984 wrote to memory of 788	1984	mscorsvw.exe	36
PID 1984 wrote to memory of 788	1984	mscorsvw.exe	36
PID 1984 wrote to memory of 788	1984	mscorsvw.exe	36
PID 1984 wrote to memory of 568	1984	mscorsvw.exe	37
PID 1984 wrote to memory of 568	1984	mscorsvw.exe	37
PID 1984 wrote to memory of 568	1984	mscorsvw.exe	37
PID 1984 wrote to memory of 568	1984	mscorsvw.exe	37
PID 1984 wrote to memory of 1516	1984	mscorsvw.exe	38
PID 1984 wrote to memory of 1516	1984	mscorsvw.exe	38
PID 1984 wrote to memory of 1516	1984	mscorsvw.exe	38
PID 1984 wrote to memory of 1516	1984	mscorsvw.exe	38
PID 1984 wrote to memory of 1160	1984	mscorsvw.exe	39
PID 1984 wrote to memory of 1160	1984	mscorsvw.exe	39
PID 1984 wrote to memory of 1160	1984	mscorsvw.exe	39
PID 1984 wrote to memory of 1160	1984	mscorsvw.exe	39
PID 1984 wrote to memory of 1716	1984	mscorsvw.exe	40
PID 1984 wrote to memory of 1716	1984	mscorsvw.exe	40
PID 1984 wrote to memory of 1716	1984	mscorsvw.exe	40
PID 1984 wrote to memory of 1716	1984	mscorsvw.exe	40
PID 1984 wrote to memory of 1204	1984	mscorsvw.exe	41
PID 1984 wrote to memory of 1204	1984	mscorsvw.exe	41
PID 1984 wrote to memory of 1204	1984	mscorsvw.exe	41
PID 1984 wrote to memory of 1204	1984	mscorsvw.exe	41
PID 1984 wrote to memory of 1064	1984	mscorsvw.exe	42
PID 1984 wrote to memory of 1064	1984	mscorsvw.exe	42
PID 1984 wrote to memory of 1064	1984	mscorsvw.exe	42
PID 1984 wrote to memory of 1064	1984	mscorsvw.exe	42
PID 1984 wrote to memory of 1528	1984	mscorsvw.exe	43
PID 1984 wrote to memory of 1528	1984	mscorsvw.exe	43
PID 1984 wrote to memory of 1528	1984	mscorsvw.exe	43
PID 1984 wrote to memory of 1528	1984	mscorsvw.exe	43
PID 1984 wrote to memory of 1572	1984	mscorsvw.exe	44
PID 1984 wrote to memory of 1572	1984	mscorsvw.exe	44
PID 1984 wrote to memory of 1572	1984	mscorsvw.exe	44
PID 1984 wrote to memory of 1572	1984	mscorsvw.exe	44
PID 1984 wrote to memory of 1184	1984	mscorsvw.exe	45
PID 1984 wrote to memory of 1184	1984	mscorsvw.exe	45
PID 1984 wrote to memory of 1184	1984	mscorsvw.exe	45
PID 1984 wrote to memory of 1184	1984	mscorsvw.exe	45
PID 1984 wrote to memory of 748	1984	mscorsvw.exe	46
PID 1984 wrote to memory of 748	1984	mscorsvw.exe	46
PID 1984 wrote to memory of 748	1984	mscorsvw.exe	46
PID 1984 wrote to memory of 748	1984	mscorsvw.exe	46

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe
"C:\Users\Admin\AppData\Local\Temp\054d83bc4770602eae3426f49045100b6b41989db4016f1277d3fa1a5c4c38ce.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1156

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1b0 -NGENProcess 1b4 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 238 -NGENProcess 240 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 238 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 220 -NGENProcess 240 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 21c -NGENProcess 1ac -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1ac -NGENProcess 238 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 130 -NGENProcess 15c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 22c -NGENProcess 240 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 23c -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c4 -NGENProcess 15c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 130 -NGENProcess 240 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1b0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 284 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a4 -NGENProcess 27c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 130 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
644KB

MD5
a07dabfc401d319887fee676bd9d4d62

SHA1
bfa43ad9951a4d1966f4c097ebcfaed554f5de9b

SHA256
1c9cdff972138804324a50c07ef115924dd7e0397bb73284cce3a5ecf3aae602

SHA512
9a472c7c2ae228e07cb0361474a8d9c22d79c04de42e5e702f8f9f496ea8ffff2674948f8ad91e7589e3b2ea02f32533f11d0568881a54851f8745b08f0d71e1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
644KB

MD5
a07dabfc401d319887fee676bd9d4d62

SHA1
bfa43ad9951a4d1966f4c097ebcfaed554f5de9b

SHA256
1c9cdff972138804324a50c07ef115924dd7e0397bb73284cce3a5ecf3aae602

SHA512
9a472c7c2ae228e07cb0361474a8d9c22d79c04de42e5e702f8f9f496ea8ffff2674948f8ad91e7589e3b2ea02f32533f11d0568881a54851f8745b08f0d71e1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
d7e167ecf7e54b89aeb8e761820a6f39

SHA1
f4b366db0aab892ff1114910be94d22425d24e89

SHA256
cac19d3036a5128bfa635d3204ffa23b94891532448c7445dfae98226dda3f2b

SHA512
74920442bcaa86720f50f9bd054781ae91769fa6dadece8575bf27c553183a3f189a4efa7477e855a383ac72c3878fedd3f81c57b14b3415d90cde2c3123b8d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
d7e167ecf7e54b89aeb8e761820a6f39

SHA1
f4b366db0aab892ff1114910be94d22425d24e89

SHA256
cac19d3036a5128bfa635d3204ffa23b94891532448c7445dfae98226dda3f2b

SHA512
74920442bcaa86720f50f9bd054781ae91769fa6dadece8575bf27c553183a3f189a4efa7477e855a383ac72c3878fedd3f81c57b14b3415d90cde2c3123b8d0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
621KB

MD5
dca571391321e82f9c34baee93df4efd

SHA1
48fb59b6775acde305b9f340d399d2dcc9f18aef

SHA256
885f38431857655df4474c036283b34a84dc9c0fd8f6a7d29ada71ddda6e9c57

SHA512
3779ab87fb0c581de80ca4f5b446a5bd0f2bc2531f57bf6bbb10524d88dc3dfd3cdcdbddd22136879812579e334ee893cf1d9942f4051f3e87bafa93fdced72d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
621KB

MD5
dca571391321e82f9c34baee93df4efd

SHA1
48fb59b6775acde305b9f340d399d2dcc9f18aef

SHA256
885f38431857655df4474c036283b34a84dc9c0fd8f6a7d29ada71ddda6e9c57

SHA512
3779ab87fb0c581de80ca4f5b446a5bd0f2bc2531f57bf6bbb10524d88dc3dfd3cdcdbddd22136879812579e334ee893cf1d9942f4051f3e87bafa93fdced72d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
648KB

MD5
a3af59b9e8aaa9233fb130b73e8be35e

SHA1
407fa7d2d60a86677a48ce11f03cf7159451f898

SHA256
e17e5a434a75476a7cf14f27590a7aecd2b7cce2818d457510f17ed50b2b3101

SHA512
317b2a02bae51c4ae53783ff8c234cde00ddbd48f2058c933b41720d753000615abee0af2c93678ea97b11c57a9f2e3c0c4b76af877e9270296897828960aa3f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
569KB

MD5
edd7ccace17dbc118c37f189bd7f46a1

SHA1
8da1d8cf50dbdc7f2b811fdb08f75d16724b39dc

SHA256
a092c780d2907b1851c1b75f703cc77186b22143c634791e052922e4928dad50

SHA512
ed892e93ea2bcc90856b6b4131e40f362b4227220ef357ef9a93360fddeccda50fd583b2f2dc8c7d21adf0af935eeac8d9140402f290187806579b0de602d68c

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
698KB

MD5
7048f90224a57116733ee88da0f528c0

SHA1
1a500eb84591853eae3abb5478a07257c3a68c95

SHA256
4983713aa22cba41d3bd4167b18b1dcdbd838b044257635ca69b332c89bb14d4

SHA512
fbf0a46abfd36889d9e42574a3a42a18f17d9d3a0a8681643f53f6063f031360bce7ff73a4ba0bc605a7a060d8511725064dab68c67de86b3583c9ab445311c4

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
5f974803227f3d44727d36d84db71714

SHA1
ea6efeccd7c04165897d78bd73c1f7978f36e606

SHA256
fd587adae932e67b4dda54637b8e7c912f309432d52b28719b1d15cf1346b8a7

SHA512
0021f3bf3cab675013e2af3eececdf18ebf5ee053c1663daf67fb8a0a0f420a2c7e8db9cc4f92249be85e9852ea6a463de6bf32359d10121aa4766833a9a06af

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.2MB

MD5
56846622cfd7fb2ff0a383ec57c1a2bc

SHA1
b2d752af804496ed5455fee8785e3282b7d0aac2

SHA256
4706fc59e6edd4ad828e5bd2787a95218dc20a60a29f050b3af07b692948a8d3

SHA512
7c25cbb3ee59ddd30a587cc2505467e5848600736deb3a3e99d3bb1e8cc91480243e9085d0e05ed232358e272978265052895b02eeb50ccdbf7f3cb571b76ff4

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
9da8b2689d156cf6a50494f588d7aecb

SHA1
ec670b2125f40438381eb85c99a5310e54c73a82

SHA256
0d3abb581ab748b84cbe6490b4fd16babe70c9d3cf15fd05036bd1b48866c99a

SHA512
44d81d844a97a98b99067dbf0721abbd98e356e0e035ddd57d9e38faf473aa4bd5d5521072ec882f77444d72993fc21fd93710d23efaad0c603910d32505dbee

Download Submit
\??\c:\windows\SysWOW64\dllhost.exe

Filesize
566KB

MD5
a8aa16d71b3a4864effb6833f2b49569

SHA1
dad178a90bc711bb926562dc20eba3a264a4994f

SHA256
097c163949fd4bd7b231b70f8144596b73fb092ee18186a565769360f2d6e351

SHA512
5969c130f41b3038cc1668be90e9832dc2160741b0f3838aa3d2843ed2acbe89fc4d119fc7168f55baed5e2f1243a2930c600632dd10fe6b7017a9a840ababc3

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
579KB

MD5
ada98f6477474ecd211b8e7d6de48687

SHA1
d2e38b316290528ea0290a6cf72b083b47f40b76

SHA256
dfbed8db6dd58be04f2f81e4a5044551b008a66b9bf9e0b69f1083aeaafdbbd4

SHA512
1e95819b28751ed7bff67143137e3a13fb63fd2a7b804538600cdae3561061ffe0a972f01eff6d8b6e500c939c94228bf3131787d7bcdc3648cb52d6e1a7b60d

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e8b3d1c4d93fcf7fd747ec550982c03f

SHA1
775eaa4fbb4bfff19b2c1c494e3a53b8d0f7a6fb

SHA256
8cb30bdc8584763034d85c59392bdeb2bcab3905437750600442e71536c36f86

SHA512
1fab60f13a5a3c651c9e09c8e1362bffd6e1124fbe99f4e8880dac8bd975fd0190407251f358b7d86c323ddc3193e721b7d0af0018d7202777777658dff108ef

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
683KB

MD5
8049c070d230b136426cdc5274f5719f

SHA1
95de57047c2062149dc18f2a819fe9762a29f161

SHA256
b6f7044e5be036ebd034d61132c08bab5d5219121485e3fde3703fc6e0ebca21

SHA512
6d300e9151eae8ebd5cfa94e599b531bcdea0d05d7cd2db68aa74be706041f917544a5523fb403680aee2b07c52d452fd36e2e795fd2b6cfa38dc74c2e9875df

Download Submit
\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe

Filesize
1.4MB

MD5
8b21153adf93e1b851cc40b2578278e5

SHA1
cd544d76d8992dfc5158a58c2440e9307419ef48

SHA256
05d1cc80adef401246c7dde263b109f35d3b71db2dc8d549293d9d5dfc5af162

SHA512
e820da2d48443132f9cf2bd101a1274725783d7bdf02ec759ba6239c6f8b0eeb0c2dc7ef3e44673be9fa0ab3e5680866e01dd3f1fa47610308f904935c1efaa4

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
595KB

MD5
fb8095bbdbba9af1c7fadab4c7625f81

SHA1
cc0e3a429e9c05050814b7d5047602ac50ad10c4

SHA256
9f1e2fe0f75a89143147317ee1b60c3ed1b472d57bc6d819c9a67d7edd540bf3

SHA512
4a1e4a61a6475a142e6983d911817c31c05de3b0bb56d8bfe3706ee1ebd968c77b760a0fe37e7317e95681b1060a5f5095b5613a858b7aa12d735fcdfdf3baee

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
636KB

MD5
e925e5864006009b2dd19ce53086f523

SHA1
ee485815ba2cb6cce8d0da33538cf7b2a30d0ae4

SHA256
759be2ed5113e5e2563b6bd009521e1295b87ee198d8ed4f39f56455d832e1fc

SHA512
7af6a8e33894a478790e4fa883389601d497a7e19807a66db65aa6f86bf4f99efcecbb8ac1611b0012525fed5d67dceefd1d54a794f925fd8283d5f6b6b0147c

Download Submit
\??\c:\windows\system32\dllhost.exe

Filesize
569KB

MD5
edd7ccace17dbc118c37f189bd7f46a1

SHA1
8da1d8cf50dbdc7f2b811fdb08f75d16724b39dc

SHA256
a092c780d2907b1851c1b75f703cc77186b22143c634791e052922e4928dad50

SHA512
ed892e93ea2bcc90856b6b4131e40f362b4227220ef357ef9a93360fddeccda50fd583b2f2dc8c7d21adf0af935eeac8d9140402f290187806579b0de602d68c

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
995e9e550c100d2da4034d9c53b3f3f6

SHA1
3b5efd084957fd003bf5b67d1dea9a1f23dcf0f9

SHA256
b4a39d6fcfdcd133e2c5bb58f5137b021069b19beb0afdb3b4ba7be976bb76f3

SHA512
a343d976d23df01709c01741e4e7bf0e7c99362f67d2539025b3bc6d7b8c052724a645d53733d9c0f162b53a1a8792e68ebac4eee3ab7268a8ff07ac591e2f53

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
670KB

MD5
501d04fcc57367ab6711e8cdf234d47b

SHA1
04a273164390ddfbb529c530a426049723f42698

SHA256
a18c13d1fd8b99a8899c838a4caec8dd2321ae23d3cda4f94852eb2e54d9ddcb

SHA512
77e161d2b8884eab228fb97234c8cc36487298f9dd1dfea11e52047ca449b8f4f6c40809a1866a4d4f97ef27541be54317489c5d8c6299d841f45bb6baa8f245

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
644KB

MD5
a07dabfc401d319887fee676bd9d4d62

SHA1
bfa43ad9951a4d1966f4c097ebcfaed554f5de9b

SHA256
1c9cdff972138804324a50c07ef115924dd7e0397bb73284cce3a5ecf3aae602

SHA512
9a472c7c2ae228e07cb0361474a8d9c22d79c04de42e5e702f8f9f496ea8ffff2674948f8ad91e7589e3b2ea02f32533f11d0568881a54851f8745b08f0d71e1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
644KB

MD5
a07dabfc401d319887fee676bd9d4d62

SHA1
bfa43ad9951a4d1966f4c097ebcfaed554f5de9b

SHA256
1c9cdff972138804324a50c07ef115924dd7e0397bb73284cce3a5ecf3aae602

SHA512
9a472c7c2ae228e07cb0361474a8d9c22d79c04de42e5e702f8f9f496ea8ffff2674948f8ad91e7589e3b2ea02f32533f11d0568881a54851f8745b08f0d71e1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
d7e167ecf7e54b89aeb8e761820a6f39

SHA1
f4b366db0aab892ff1114910be94d22425d24e89

SHA256
cac19d3036a5128bfa635d3204ffa23b94891532448c7445dfae98226dda3f2b

SHA512
74920442bcaa86720f50f9bd054781ae91769fa6dadece8575bf27c553183a3f189a4efa7477e855a383ac72c3878fedd3f81c57b14b3415d90cde2c3123b8d0

Download Submit
\Windows\System32\dllhost.exe

Filesize
569KB

MD5
edd7ccace17dbc118c37f189bd7f46a1

SHA1
8da1d8cf50dbdc7f2b811fdb08f75d16724b39dc

SHA256
a092c780d2907b1851c1b75f703cc77186b22143c634791e052922e4928dad50

SHA512
ed892e93ea2bcc90856b6b4131e40f362b4227220ef357ef9a93360fddeccda50fd583b2f2dc8c7d21adf0af935eeac8d9140402f290187806579b0de602d68c

Download Submit
\Windows\System32\dllhost.exe

Filesize
569KB

MD5
edd7ccace17dbc118c37f189bd7f46a1

SHA1
8da1d8cf50dbdc7f2b811fdb08f75d16724b39dc

SHA256
a092c780d2907b1851c1b75f703cc77186b22143c634791e052922e4928dad50

SHA512
ed892e93ea2bcc90856b6b4131e40f362b4227220ef357ef9a93360fddeccda50fd583b2f2dc8c7d21adf0af935eeac8d9140402f290187806579b0de602d68c

Download Submit
memory/276-94-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/276-84-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/520-100-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/520-107-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/568-126-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/748-160-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/772-165-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/772-168-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/788-117-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/788-123-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/824-79-0x0000000100000000-0x000000010027C000-memory.dmp

Filesize
2.5MB

Download
memory/824-92-0x0000000100000000-0x000000010027C000-memory.dmp

Filesize
2.5MB

Download
memory/876-183-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/888-173-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/888-176-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/944-118-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/944-113-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/956-64-0x0000000010000000-0x000000001028F000-memory.dmp

Filesize
2.6MB

Download
memory/956-66-0x0000000010000000-0x000000001028F000-memory.dmp

Filesize
2.6MB

Download
memory/1064-142-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1064-145-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1156-60-0x0000000010000000-0x000000001025B000-memory.dmp

Filesize
2.4MB

Download
memory/1156-58-0x0000000010000000-0x000000001025B000-memory.dmp

Filesize
2.4MB

Download
memory/1160-132-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1184-153-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1184-154-0x0000000003230000-0x00000000032EA000-memory.dmp

Filesize
744KB

Download
memory/1184-157-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1204-141-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1424-56-0x0000000001000000-0x0000000001252000-memory.dmp

Filesize
2.3MB

Download
memory/1424-54-0x0000000001000000-0x0000000001252000-memory.dmp

Filesize
2.3MB

Download
memory/1424-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1496-86-0x0000000140000000-0x0000000140295000-memory.dmp

Filesize
2.6MB

Download
memory/1496-72-0x0000000140000000-0x0000000140295000-memory.dmp

Filesize
2.6MB

Download
memory/1516-129-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1528-146-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1528-149-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1548-91-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1548-99-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1572-152-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1576-177-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1576-180-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1600-111-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1600-108-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1704-164-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1704-161-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1716-133-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1716-138-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1792-184-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1984-83-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1984-69-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1988-172-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1988-169-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download