d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
Size

656KB
MD5

584a78233a7a25afcff64c131e8a92f0
SHA1

7f487305bc3f83f4348ba4cdb85e07ff20ee52a0
SHA256

d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d
SHA512

eb2d7fd65c3781dd63434152e3b0a7d99f45acce03150ea3dcf3e3dbcdd97c0c3a0fc13e2d3ebef1b23a06343acc63a8d131020410c3b9fa2e2dbcb2c50b25c6
SSDEEP

12288:Zg+VMI/O4to6nVKnbGTzpq+7zkMNTMyRJgkdYLCjxbPginXynxuqKnJ:Z5Omo6VI6JpRJgkdY2jJIinXWxuqKnJ

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 38 IoCs

pid	Process
2016	mscorsvw.exe
472	Process not Found
1736	mscorsvw.exe
1128	mscorsvw.exe
1448	mscorsvw.exe
1548	dllhost.exe
788	elevation_service.exe
1892	mscorsvw.exe
1240	mscorsvw.exe
576	Process not Found
1988	DllHost.exe
1208	mscorsvw.exe
1620	mscorsvw.exe
1060	mscorsvw.exe
2016	mscorsvw.exe
824	mscorsvw.exe
844	mscorsvw.exe
616	mscorsvw.exe
604	mscorsvw.exe
1108	mscorsvw.exe
1104	mscorsvw.exe
1044	mscorsvw.exe
1976	mscorsvw.exe
828	mscorsvw.exe
1892	mscorsvw.exe
1096	mscorsvw.exe
1108	mscorsvw.exe
1552	mscorsvw.exe
916	mscorsvw.exe
1528	mscorsvw.exe
1900	mscorsvw.exe
1928	mscorsvw.exe
1964	mscorsvw.exe
1428	mscorsvw.exe
988	mscorsvw.exe
1344	mscorsvw.exe
2040	mscorsvw.exe
1452	mscorsvw.exe

Loads dropped DLL 27 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
824	mscorsvw.exe
824	mscorsvw.exe
616	mscorsvw.exe
616	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1044	mscorsvw.exe
1044	mscorsvw.exe
828	mscorsvw.exe
828	mscorsvw.exe
1096	mscorsvw.exe
1096	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
1528	mscorsvw.exe
1528	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
1428	mscorsvw.exe
1428	mscorsvw.exe
1344	mscorsvw.exe
1344	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000\EnableNotifications = "0"	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\E:	dllhost.exe
File opened (read-only)	\??\F:	dllhost.exe
File opened (read-only)	\??\K:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\L:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\N:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\Q:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\F:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\V:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\Z:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\O:	dllhost.exe
File opened (read-only)	\??\N:	dllhost.exe
File opened (read-only)	\??\T:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\Y:	dllhost.exe
File opened (read-only)	\??\G:	dllhost.exe
File opened (read-only)	\??\L:	dllhost.exe
File opened (read-only)	\??\P:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\P:	dllhost.exe
File opened (read-only)	\??\W:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\W:	dllhost.exe
File opened (read-only)	\??\K:	dllhost.exe
File opened (read-only)	\??\H:	dllhost.exe
File opened (read-only)	\??\M:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\M:	dllhost.exe
File opened (read-only)	\??\X:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\U:	dllhost.exe
File opened (read-only)	\??\E:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\R:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\S:	dllhost.exe
File opened (read-only)	\??\V:	dllhost.exe
File opened (read-only)	\??\X:	dllhost.exe
File opened (read-only)	\??\H:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\O:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\S:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\I:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\J:	dllhost.exe
File opened (read-only)	\??\R:	dllhost.exe
File opened (read-only)	\??\T:	dllhost.exe
File opened (read-only)	\??\I:	dllhost.exe
File opened (read-only)	\??\Q:	dllhost.exe
File opened (read-only)	\??\U:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\Y:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\Z:	dllhost.exe
File opened (read-only)	\??\J:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\vds.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	dllhost.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\hlfggcli.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	dllhost.exe
File created	\??\c:\windows\system32\nckgdcio.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\SysWOW64\obpfbgjk.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	dllhost.exe
File created	\??\c:\windows\system32\ecjabefj.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\cmbmjdgi.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\alg.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	dllhost.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\SysWOW64\eloqbhac.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\amdabibd.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\SysWOW64\aeiplcec.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\mgepibbm.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\fhfihplq.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	dllhost.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\bpjdcbjp.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	dllhost.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\vds.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\nmbahbmb.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\SysWOW64\bgljjjnp.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\alg.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\jamccllk.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	dllhost.exe
File created	\??\c:\windows\system32\hmkiiaio.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	dllhost.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\kebpomgi.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Internet Explorer\ljnmgphk.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	dllhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ighnagcm.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\eqiodbdg.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ejgplnoh.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\ijekiggo.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\7-Zip\dklkkafp.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\program files\windows media player\ifmcecni.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\7-Zip\nnknaeep.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\program files (x86)\microsoft office\office14\hkdoihhc.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	dllhost.exe
File created	C:\Program Files\7-Zip\klonohhl.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\iibndipn.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\gdaoemja.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\onakajab.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	dllhost.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	dllhost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\akaajeom.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\nhdihggb.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	dllhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jiianoje.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	dllhost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\gabgoqim.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\hpdfkalp.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3BBA.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP120B.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP733.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1438964D-581A-435E-953A-9A177CB03A92}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP404C.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\servicing\hcdcdphi.tmp	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFE4D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP257C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3313.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4847.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	dllhost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1548	dllhost.exe
1548	dllhost.exe
1548	dllhost.exe
1548	dllhost.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1408	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1548	dllhost.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeManageVolumePrivilege	1988	DllHost.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe
Token: SeShutdownPrivilege	1448	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1892	1448	mscorsvw.exe	33
PID 1448 wrote to memory of 1892	1448	mscorsvw.exe	33
PID 1448 wrote to memory of 1892	1448	mscorsvw.exe	33
PID 1448 wrote to memory of 1240	1448	mscorsvw.exe	34
PID 1448 wrote to memory of 1240	1448	mscorsvw.exe	34
PID 1448 wrote to memory of 1240	1448	mscorsvw.exe	34
PID 1448 wrote to memory of 1208	1448	mscorsvw.exe	37
PID 1448 wrote to memory of 1208	1448	mscorsvw.exe	37
PID 1448 wrote to memory of 1208	1448	mscorsvw.exe	37
PID 1448 wrote to memory of 1620	1448	mscorsvw.exe	38
PID 1448 wrote to memory of 1620	1448	mscorsvw.exe	38
PID 1448 wrote to memory of 1620	1448	mscorsvw.exe	38
PID 1448 wrote to memory of 1060	1448	mscorsvw.exe	39
PID 1448 wrote to memory of 1060	1448	mscorsvw.exe	39
PID 1448 wrote to memory of 1060	1448	mscorsvw.exe	39
PID 1448 wrote to memory of 2016	1448	mscorsvw.exe	40
PID 1448 wrote to memory of 2016	1448	mscorsvw.exe	40
PID 1448 wrote to memory of 2016	1448	mscorsvw.exe	40
PID 1448 wrote to memory of 824	1448	mscorsvw.exe	41
PID 1448 wrote to memory of 824	1448	mscorsvw.exe	41
PID 1448 wrote to memory of 824	1448	mscorsvw.exe	41
PID 1448 wrote to memory of 844	1448	mscorsvw.exe	42
PID 1448 wrote to memory of 844	1448	mscorsvw.exe	42
PID 1448 wrote to memory of 844	1448	mscorsvw.exe	42
PID 1448 wrote to memory of 616	1448	mscorsvw.exe	43
PID 1448 wrote to memory of 616	1448	mscorsvw.exe	43
PID 1448 wrote to memory of 616	1448	mscorsvw.exe	43
PID 1448 wrote to memory of 604	1448	mscorsvw.exe	44
PID 1448 wrote to memory of 604	1448	mscorsvw.exe	44
PID 1448 wrote to memory of 604	1448	mscorsvw.exe	44
PID 1448 wrote to memory of 1108	1448	mscorsvw.exe	45
PID 1448 wrote to memory of 1108	1448	mscorsvw.exe	45
PID 1448 wrote to memory of 1108	1448	mscorsvw.exe	45
PID 1448 wrote to memory of 1104	1448	mscorsvw.exe	46
PID 1448 wrote to memory of 1104	1448	mscorsvw.exe	46
PID 1448 wrote to memory of 1104	1448	mscorsvw.exe	46
PID 1448 wrote to memory of 1044	1448	mscorsvw.exe	47
PID 1448 wrote to memory of 1044	1448	mscorsvw.exe	47
PID 1448 wrote to memory of 1044	1448	mscorsvw.exe	47
PID 1448 wrote to memory of 1976	1448	mscorsvw.exe	48
PID 1448 wrote to memory of 1976	1448	mscorsvw.exe	48
PID 1448 wrote to memory of 1976	1448	mscorsvw.exe	48
PID 1448 wrote to memory of 828	1448	mscorsvw.exe	49
PID 1448 wrote to memory of 828	1448	mscorsvw.exe	49
PID 1448 wrote to memory of 828	1448	mscorsvw.exe	49
PID 1448 wrote to memory of 1892	1448	mscorsvw.exe	50
PID 1448 wrote to memory of 1892	1448	mscorsvw.exe	50
PID 1448 wrote to memory of 1892	1448	mscorsvw.exe	50
PID 1448 wrote to memory of 1096	1448	mscorsvw.exe	51
PID 1448 wrote to memory of 1096	1448	mscorsvw.exe	51
PID 1448 wrote to memory of 1096	1448	mscorsvw.exe	51
PID 1448 wrote to memory of 1108	1448	mscorsvw.exe	52
PID 1448 wrote to memory of 1108	1448	mscorsvw.exe	52
PID 1448 wrote to memory of 1108	1448	mscorsvw.exe	52
PID 1448 wrote to memory of 1552	1448	mscorsvw.exe	53
PID 1448 wrote to memory of 1552	1448	mscorsvw.exe	53
PID 1448 wrote to memory of 1552	1448	mscorsvw.exe	53
PID 1448 wrote to memory of 916	1448	mscorsvw.exe	54
PID 1448 wrote to memory of 916	1448	mscorsvw.exe	54
PID 1448 wrote to memory of 916	1448	mscorsvw.exe	54
PID 1448 wrote to memory of 1528	1448	mscorsvw.exe	55
PID 1448 wrote to memory of 1528	1448	mscorsvw.exe	55
PID 1448 wrote to memory of 1528	1448	mscorsvw.exe	55
PID 1448 wrote to memory of 1900	1448	mscorsvw.exe	56

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
"C:\Users\Admin\AppData\Local\Temp\d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 17c -NGENProcess 1a0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 17c -NGENProcess 1a0 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1e4 -NGENProcess 158 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 23c -NGENProcess 228 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent a8 -NGENProcess 214 -Pipe a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 234 -NGENProcess 158 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 240 -NGENProcess 228 -Pipe 164 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 230 -NGENProcess 228 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 250 -NGENProcess a8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent a8 -NGENProcess 22c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 258 -NGENProcess 228 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 228 -NGENProcess a8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 260 -NGENProcess 22c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 22c -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e4 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 228 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 23c -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 258 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 258 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 278 -Pipe a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 298 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1548

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
694KB

MD5
65e1e34f0618d5937dabd9ef45e1a685

SHA1
d6c7f211664dd286231f11082491ffdf5277cada

SHA256
bcff8b18be9de8d6cd8498a9be24ebf03a57e4b05c58f2395f800567190994e2

SHA512
5302216198d3f39c2fb2d04597adedd22424125ef792aa206a84908f204fa50d17b504d1e11759ff864e22ac000cad54ccc45bd36d3b161b090021d6348aa21d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
e694c2ccb6cf282da0e4b0af58f6f929

SHA1
7783cdb43dbe3c1e4a9233c57e6f2e8c6b9026f4

SHA256
033098e0be29d00bf44da9d2db19527d833fffdcf8bd9019af51be4282af4596

SHA512
f8b3909bee9879b6e9a5919f4385d65dd29f6e7096f681c15b8332a3dcd58e66b10b9d94695a0a1f9acefed0168acb3abbe4d74319fd395ddb6dc1173de36a55

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
1ef09f69b8cca0df5933e400c56f5d7b

SHA1
be6c44de85f65c87440b07c4b561deac94579ab8

SHA256
7db0822855f8bda542e42f45fb4f510ba24b818b95ae1848b517079d77fa8a94

SHA512
9ac32b4b76045f8faf132336d5aa17da65277c3c992c92d798dd69b2b6402aa434b43cb1e60a883b3ca7b18317e405c5330b9525ac53e3fb41d69e88b0210ec2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
285565239b432e768f2b4efbcaaa5e30

SHA1
1b433449248aeb35b6a3333d02107023fafa4056

SHA256
2cbbccab0d6794746c511f56982c9e26790ece75b28c88be04fcc5c2b72ac22c

SHA512
ed99ed4b35d0951bb5e9a1476de6000783f87e8aa01f3554d4cbff8cd7f322f0fc300e0aedf38feb7c989d650fb2d600f7c3f1bf7677feb9846bbf201fbf1ecc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
285565239b432e768f2b4efbcaaa5e30

SHA1
1b433449248aeb35b6a3333d02107023fafa4056

SHA256
2cbbccab0d6794746c511f56982c9e26790ece75b28c88be04fcc5c2b72ac22c

SHA512
ed99ed4b35d0951bb5e9a1476de6000783f87e8aa01f3554d4cbff8cd7f322f0fc300e0aedf38feb7c989d650fb2d600f7c3f1bf7677feb9846bbf201fbf1ecc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
b4f7d42439d6a1cbb7917722ed80f318

SHA1
49424e054aeb3502abf900ad0c33770bbcbe1a19

SHA256
0fea5872d0ebae275f71518767d3db11bd0cbae5b64d417dad3bac570f7ac4cc

SHA512
b274548b4f1947a08d1e6ba0697417d15d70488b6e4295059669bb2c0e943062514708618951745183441ce238f53dcd7d877536fa8500bbeb93ecf7223f303f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
b4f7d42439d6a1cbb7917722ed80f318

SHA1
49424e054aeb3502abf900ad0c33770bbcbe1a19

SHA256
0fea5872d0ebae275f71518767d3db11bd0cbae5b64d417dad3bac570f7ac4cc

SHA512
b274548b4f1947a08d1e6ba0697417d15d70488b6e4295059669bb2c0e943062514708618951745183441ce238f53dcd7d877536fa8500bbeb93ecf7223f303f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
2c9dd551175744af2fef97b25d1df6cb

SHA1
246d2a87b80070995ec3d426fd33071249a9af75

SHA256
cd6148e2f132d934754d53252ac135ba38534338b3ec88c875d20f74172ea921

SHA512
2fa7ccd7edbe5d9ea10c5baf020f60c62bcd10b434d61a0b5acca28e0ecded4d0ba7e53cc6abc6384f4e865865414eadbf94552c3caa655f611dd1bc242013d3

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
565KB

MD5
3374f6a1629d275aa9aa85b7ed69b23b

SHA1
76af95396d24af09bb344c8fafd10e60974aca4d

SHA256
c89a100c3078a23fbf863a7fe188734601a0c29fd9e7f232439c2edcd3fb29c7

SHA512
1db9c3dd48305b19e7f0e1b295cb08a2cfb82e9cc31bffae94ea49b163ce47e31049833f0873ec7eda898b6a962c56a2641c84eb5185dbdfc855821edc7f823b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
565KB

MD5
3374f6a1629d275aa9aa85b7ed69b23b

SHA1
76af95396d24af09bb344c8fafd10e60974aca4d

SHA256
c89a100c3078a23fbf863a7fe188734601a0c29fd9e7f232439c2edcd3fb29c7

SHA512
1db9c3dd48305b19e7f0e1b295cb08a2cfb82e9cc31bffae94ea49b163ce47e31049833f0873ec7eda898b6a962c56a2641c84eb5185dbdfc855821edc7f823b

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
857010fb98d0b309829bff56396c0755

SHA1
a48755c8cb82ebe0bf9431fe20e785ee861f5aa4

SHA256
8e6494ffa06f68c6e564f26b529e4ad725420e2d4ef43935565791462d8ac86b

SHA512
8186676ec8f400c580e0ce508ea3835f0427471fd45542ee6a94f3bd2ba3babe16d0a2f1be029187970b910da541dcc9de304f41192a36dc62dfa7ab2406512e

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
abec00d85f463fc82719080062de3b26

SHA1
817eebbd4d8a5286bc6089c601d151d98ce66578

SHA256
c4ee01eb2da08bc4df033ecb55dcc150225a4ad8040c185da4625209c12c36d3

SHA512
110360ba05cc2ce4acc0608c1d5e53ef08724268cd1b22cb44e108eb1fa67cacad1b47aaeecfcd48b94be9170658680d46fa889aaf8d6d0c2d22442abc608df9

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
788KB

MD5
2313d73de81afee34140582dd5fbae4e

SHA1
95fd61601326d64681c30f5c5f07f81bed2e0840

SHA256
cb3aa45778e1272f3e8530486327612bd5797395bad077626182799ab8cdae60

SHA512
0a84ed0d15d28d4af9dda280a7f9d2a7174f43cfae5750b35cb4c7f70f1302a79792062982ff9acb96a45581212a84f6d1f96abed6e3c6906a9bb6009ee9fd2a

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.2MB

MD5
c6aecf55815c911ae127e857c55e2f3a

SHA1
bd84de1b4fc03161f8f5471fcc556ed2617cc9e1

SHA256
bd6cbee790746d67777fe3943e9eb5878e7429537e96b0b97df3219b0045f2a6

SHA512
dd79d64d2a279a69a36b27aeff91a5afb633f4ad32ecff73156a89c2c24babbd471acedd029c07ac3487e198c2adb8ef739e997bd4ce6bfdee31b630c619374f

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
8a6b257e48fa46853357ff647f38206e

SHA1
25dd9639a8bf70eff924564b33dd20e8447059ea

SHA256
898daa96f297e86626df8a82db4a8043a7facef1d3ee30a09305e83748421155

SHA512
3fc9738cc9e42d2cbffa9683960c875ad761244c1b449cc0053cdc9bd53a3c194d06cb7cb50a0229364f63d5f27656cdf79ce44df6395e390987797b401ae443

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ea913662e84c9f33f7e0addf71ee5ec5

SHA1
735f492ea640607dda8f3eafcbbb033acfa959bb

SHA256
7de04cf6f50c24e81181334500e7620dd5fe27706522e426d05d6ae36a759bb3

SHA512
f8913362b2497c74323922a669ad1a8026e6d4598eb939eacfee9a266b0627245eea8e3318afa6f9411ee5993aa3a91bcdcbefc424ea973287f3ab19a43c58ac

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
44239b25879e54515e71d09367aed2f1

SHA1
7449dc8ff5a33137a17663132b40b1ef76222be6

SHA256
952ec1e7b05bfb3ee5b242547ff28f55732c49f7cab04a480399605d6c3f5ab2

SHA512
87b234d2edbc964a46e28c67812a1e3c5f62f8af8962782e2244b73a68bc404010f12f57ebf66b77044b0fd31a5958a0f7f75e2ca4cb7df82f5c32ec9c4a9d22

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
94ae55c98da7caf4aebfbd8ee007ddc4

SHA1
c97f071846bf9c0892711c2a0ffe2b5862109f6a

SHA256
a1350885b5fa38ae31ef884b135b51702017aa58052b6140e9694630d7c0bf20

SHA512
28a13e0683bf1776a3329f6c6d8f6e85dbff9c46b90c4f26563238b72e7e175b5fccf5d717883294950c3d4c30b2a0755feab3e668a18620b58430e7c9d60ade

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
2c9dd551175744af2fef97b25d1df6cb

SHA1
246d2a87b80070995ec3d426fd33071249a9af75

SHA256
cd6148e2f132d934754d53252ac135ba38534338b3ec88c875d20f74172ea921

SHA512
2fa7ccd7edbe5d9ea10c5baf020f60c62bcd10b434d61a0b5acca28e0ecded4d0ba7e53cc6abc6384f4e865865414eadbf94552c3caa655f611dd1bc242013d3

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
8ae2c96c712d3062d3e952221367f75b

SHA1
1cd32a1a61bc5ef3324b08b0f15985dda5d920a2

SHA256
86503d68e189e0fd83772203c7a1f78fc21012d1f94eaf6bae0bcec8423f353f

SHA512
ebd48d09283adab0b56afbfd3c5a3fe9f0dccaa38aef8091a966c26a8a3af632eabc7910638dfc30c9061051e9059db1d05b549c5d2bb7c2c2edc938a81593f8

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
bc9749868070e7d9f89c080de9ede798

SHA1
47ed8c5f889c85839d1676ddff4257a0b1379c98

SHA256
8320279e9381e1aa3edc6cf4d9bf1737cc9c4b6a151a4b4c2eb9c2c1afe4142a

SHA512
9820c34d7e3fa045f3f6db22f455becfa069999e1c81150d6f4ad51d0c40c60a3eba0fe1180d9c3045bb03c79127efa5ee9100241a27053bc931ae87c773d489

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
666KB

MD5
0c131544568fa8492ec2bcc310f465b5

SHA1
53fcfa5a14e177d2b7a986c906e5af2be35ae1cc

SHA256
c648c502842049dcd0a934804d50ad4b6c70f8dea0f29b82dcb4efccf20f8d3f

SHA512
8529435fbdacedbf672f3abc0fbe83cbab900f93963e1631b8303239bb292c241db69353d5d3ce8bc6e1871bcb7ec78aa4d9fcc7355d09f22a5d572f91f8b990

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
b5458f184e0a7f69c64b2ac1a5fcf0d8

SHA1
2897ce7999af8d52ab8d408ae030ca9b1ff33274

SHA256
866cfd1522d6a97d28b6914160b12afd622c2395137ca76a77e259bd3fdd51df

SHA512
f8f56bf6f5bb97376099620611219befc7735761a817a53f0b660c51c35fc8fb0fd5d0e937257ccff2ccb7a466f71d87a6b370e7670a5ba8864c89019f4991f8

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
683KB

MD5
0069c4119300e6bcdb7a1a1e2c4d0b5b

SHA1
230a19fedaedf08d06afb212bf99da4cda1b5548

SHA256
73431c4debe587e5713ec046505cb03e8be6ff4a77d92fad8328950abc62dca1

SHA512
13480201d6493d3a6cfaeeb7515155dbeb91937fa1b19dc1e1d5c2d7fc18201d5f6cbe481c9704c39abd02126de43be89ead14f99e403184499e6e1ddbddcd43

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
0af5523e41c698aa960c7821c6a212b0

SHA1
2f7ec5062599f7f2dce097c47ef430c14b4524d4

SHA256
5b82667eb170a64a7b1488a5306e30049873c1a8d0e43f0bcf9bd0f71b82cf6b

SHA512
664721691fe54dbee143b290577e4e67a3de052c24cbfd845f813a3ea209ecf8b5bb027c75667b10fb732160458a8f62676c8c66576f967842c7e5fc81e84a72

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
c49bbc217529477e69510c4645bb0791

SHA1
f361ba2b74c8e675d572542d093adf73d0f32ae0

SHA256
2d901f3c8058541795937d6b90e4fdd020e09707827cadc32d32caebe4a4a547

SHA512
e4c3938a0e650aff4cf67e357d3ba199e7013b4fee43eac51321c70f251ccaf830f4c4cdffab6788f256275dacd6052ccf63e15f43aa523edefc97918c3812c1

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
dbdab11aa362206d8232503ea2ad292d

SHA1
77d2f78c653d6458d16cdd42bdcc01045e5da5c1

SHA256
f060d83d534ecca7f2b707f5024c9998964d97392e33dcf4bd95352ef703e884

SHA512
d736cd956d447e56344364c414782c028d05f8fadac4e568637c7561a58a0dde0b1044db0f0b57acf9a53ca3c4c92f6830d9ec0b861e5bb5158eb1e9827a18c2

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
167a31cac2f767b1f6760768e92c1b04

SHA1
b17d3c41c60fb31273ab9503055874727d03db33

SHA256
54f0f5a4a41355c8d938b5ef6fd76d5af3163c507e1a51cd5e4342cc0963ef3a

SHA512
ee6d23efc412e3c35502af7708a378b11dfe476ed867009714525e79d4fc0dfb17f671afbc43052f925b4cd4e8250184a53c4a8dc96a22e051beb58477a78841

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
9d357b449090dd1c5c0f36b4e113e660

SHA1
7eafa3798f0b83fd0cb179cd2dbbeed743b27d52

SHA256
85d7222abe23052d733648b720737a70077dc4912203011df926998c31eddbb7

SHA512
a7dee886e59d5cfda0b356c8ab102ca690822bc790c562fdc4b0628d747dff1f1e12bfed3d1182aad46bbd102db926e09a55487e020356d6efbd220a931e5d39

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
43aeddb376eb5ce19099e50c94fcce62

SHA1
aeaa2814ad25081b5b43ec1cdbbd92e1157802c5

SHA256
164145fe3f34e51539203fcc4eee9d8ac124fdff239fed40b20ad703ebda0785

SHA512
c54b654ca66bd691b3adb86115f7c514104f1e3d11a67bc516cdb8d704334d41d5e5092d0cbb250e4e2be1bf96a02d9f89fd5ff8dd06fcd245fa58ca07955866

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
a3a6ea6dd68049596c5c20156419d1b0

SHA1
d43b6acd93e144bac0b1eda7606c63d495a6c146

SHA256
63f2a7932a3ce3ac7e3e8e0cf6872afd866f1068d24b1a25421ecf50ab25bbf1

SHA512
98c6d422776d45d66a01a28628b6423a699524de9eebb28546703ec8aa97624a6d2386abd438d41c4c4215a4bd07279cf9b5f28ab604494b9bae7f48482ffe5f

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
1ef09f69b8cca0df5933e400c56f5d7b

SHA1
be6c44de85f65c87440b07c4b561deac94579ab8

SHA256
7db0822855f8bda542e42f45fb4f510ba24b818b95ae1848b517079d77fa8a94

SHA512
9ac32b4b76045f8faf132336d5aa17da65277c3c992c92d798dd69b2b6402aa434b43cb1e60a883b3ca7b18317e405c5330b9525ac53e3fb41d69e88b0210ec2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
285565239b432e768f2b4efbcaaa5e30

SHA1
1b433449248aeb35b6a3333d02107023fafa4056

SHA256
2cbbccab0d6794746c511f56982c9e26790ece75b28c88be04fcc5c2b72ac22c

SHA512
ed99ed4b35d0951bb5e9a1476de6000783f87e8aa01f3554d4cbff8cd7f322f0fc300e0aedf38feb7c989d650fb2d600f7c3f1bf7677feb9846bbf201fbf1ecc

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
285565239b432e768f2b4efbcaaa5e30

SHA1
1b433449248aeb35b6a3333d02107023fafa4056

SHA256
2cbbccab0d6794746c511f56982c9e26790ece75b28c88be04fcc5c2b72ac22c

SHA512
ed99ed4b35d0951bb5e9a1476de6000783f87e8aa01f3554d4cbff8cd7f322f0fc300e0aedf38feb7c989d650fb2d600f7c3f1bf7677feb9846bbf201fbf1ecc

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
3c89e3d8acaa6fb71cdd0aebe2badeae

SHA1
fd397cbf0412fc0fa27ae9ae9af2ca733fd8dc65

SHA256
2e20411a6aa851a134262cf6b95db496b54319ffdefbda2c5e14b1c595deda21

SHA512
d4b51502e49e06c596722a51060a6065763ad08458d135ec33fe50158ec6b54efbde60f1356c8cafb92bf51a4bcb2f0b73980dbbd08ad8bfdbdbf0c9c189b780

Download Submit
\Windows\System32\dllhost.exe

Filesize
565KB

MD5
3374f6a1629d275aa9aa85b7ed69b23b

SHA1
76af95396d24af09bb344c8fafd10e60974aca4d

SHA256
c89a100c3078a23fbf863a7fe188734601a0c29fd9e7f232439c2edcd3fb29c7

SHA512
1db9c3dd48305b19e7f0e1b295cb08a2cfb82e9cc31bffae94ea49b163ce47e31049833f0873ec7eda898b6a962c56a2641c84eb5185dbdfc855821edc7f823b

Download Submit
\Windows\System32\dllhost.exe

Filesize
565KB

MD5
3374f6a1629d275aa9aa85b7ed69b23b

SHA1
76af95396d24af09bb344c8fafd10e60974aca4d

SHA256
c89a100c3078a23fbf863a7fe188734601a0c29fd9e7f232439c2edcd3fb29c7

SHA512
1db9c3dd48305b19e7f0e1b295cb08a2cfb82e9cc31bffae94ea49b163ce47e31049833f0873ec7eda898b6a962c56a2641c84eb5185dbdfc855821edc7f823b

Download Submit
\Windows\System32\dllhost.exe

Filesize
565KB

MD5
3374f6a1629d275aa9aa85b7ed69b23b

SHA1
76af95396d24af09bb344c8fafd10e60974aca4d

SHA256
c89a100c3078a23fbf863a7fe188734601a0c29fd9e7f232439c2edcd3fb29c7

SHA512
1db9c3dd48305b19e7f0e1b295cb08a2cfb82e9cc31bffae94ea49b163ce47e31049833f0873ec7eda898b6a962c56a2641c84eb5185dbdfc855821edc7f823b

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP120B.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP733.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP733.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDEBC.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDEBC.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF142.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF142.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFE4D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFE4D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
memory/604-175-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/604-172-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/616-163-0x000007FEED3C0000-0x000007FEEDDE3000-memory.dmp

Filesize
10.1MB

Download
memory/616-169-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/616-164-0x000000001CAC0000-0x000000001CDBF000-memory.dmp

Filesize
3.0MB

Download
memory/616-165-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/788-99-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/788-78-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/824-149-0x000007FEEDDF0000-0x000007FEEE813000-memory.dmp

Filesize
10.1MB

Download
memory/824-155-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/824-150-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/828-202-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/828-199-0x000007FEEDDF0000-0x000007FEEE813000-memory.dmp

Filesize
10.1MB

Download
memory/844-162-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/844-157-0x000007FEEC8A0000-0x000007FEED936000-memory.dmp

Filesize
16.6MB

Download
memory/844-159-0x000000001CBB0000-0x000000001CEAF000-memory.dmp

Filesize
3.0MB

Download
memory/844-158-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/916-220-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/988-234-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1044-187-0x000007FEEDDF0000-0x000007FEEE813000-memory.dmp

Filesize
10.1MB

Download
memory/1044-192-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1060-139-0x000007FEEDDF0000-0x000007FEEE813000-memory.dmp

Filesize
10.1MB

Download
memory/1060-142-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1060-140-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1096-207-0x000007FEEDDF0000-0x000007FEEE813000-memory.dmp

Filesize
10.1MB

Download
memory/1096-210-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1096-208-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1104-186-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1104-182-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1108-211-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1108-212-0x000007FEF40F0000-0x000007FEF4B13000-memory.dmp

Filesize
10.1MB

Download
memory/1108-181-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1108-214-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1108-176-0x000007FEEDDF0000-0x000007FEEE813000-memory.dmp

Filesize
10.1MB

Download
memory/1128-66-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1208-134-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1208-132-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1240-86-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1240-89-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1344-237-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1344-235-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1408-73-0x0000000001000000-0x0000000001264000-memory.dmp

Filesize
2.4MB

Download
memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1408-55-0x0000000001000000-0x0000000001264000-memory.dmp

Filesize
2.4MB

Download
memory/1428-232-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1448-93-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1448-74-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1452-241-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1528-223-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1528-221-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1548-75-0x0000000100000000-0x0000000100278000-memory.dmp

Filesize
2.5MB

Download
memory/1548-94-0x0000000100000000-0x0000000100278000-memory.dmp

Filesize
2.5MB

Download
memory/1552-215-0x000007FEEDDF0000-0x000007FEEE813000-memory.dmp

Filesize
10.1MB

Download
memory/1552-216-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1552-217-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1620-138-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1736-62-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/1736-64-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/1892-206-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1892-204-0x000007FEF40F0000-0x000007FEF4B13000-memory.dmp

Filesize
10.1MB

Download
memory/1892-203-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1892-88-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1892-82-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1900-225-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1928-227-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1964-228-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1964-230-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1976-193-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1976-198-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1976-194-0x000007FEED3C0000-0x000007FEEDDE3000-memory.dmp

Filesize
10.1MB

Download
memory/1976-195-0x000007FEEB280000-0x000007FEEC316000-memory.dmp

Filesize
16.6MB

Download
memory/1988-126-0x0000000100000000-0x0000000100278000-memory.dmp

Filesize
2.5MB

Download
memory/1988-113-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/1988-119-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/1988-125-0x0000000004160000-0x0000000004168000-memory.dmp

Filesize
32KB

Download
memory/1988-127-0x0000000100000000-0x0000000100278000-memory.dmp

Filesize
2.5MB

Download
memory/2016-58-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2016-148-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2016-145-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2016-144-0x000007FEF40F0000-0x000007FEF4B13000-memory.dmp

Filesize
10.1MB

Download
memory/2040-238-0x000007FEF40F0000-0x000007FEF4B13000-memory.dmp

Filesize
10.1MB

Download
memory/2040-240-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download