2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf

Analysis

max time kernel
151s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
Size

770KB
MD5

a1a36cb461c870a314176e70b814ffc1
SHA1

0454dd42926e3637ed36842fae4727ae6f36f18d
SHA256

2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf
SHA512

3983c7dd6b1662a63a3947586dfbae3102ff7936fbccfcd19d517fb7b79a1a0ac38e934453561392630d2dc593c71d8b9ea420daa74b1f544641b907985f3958
SSDEEP

24576:FsqSroAupL8uSrOKMU6TT2GxvEEHWmMz6bLlxwFHy:FGD+LzGBzsNN6ifwdy

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
520	mscorsvw.exe
460	Process not Found
760	mscorsvw.exe
812	mscorsvw.exe
1812	mscorsvw.exe
1000	dllhost.exe
1932	mscorsvw.exe
640	mscorsvw.exe
584	Process not Found
520	DllHost.exe
1532	mscorsvw.exe
1820	mscorsvw.exe
2044	mscorsvw.exe
1084	mscorsvw.exe
892	mscorsvw.exe
1628	mscorsvw.exe
1724	mscorsvw.exe
1420	mscorsvw.exe
1656	mscorsvw.exe
1708	mscorsvw.exe
1108	mscorsvw.exe
1704	mscorsvw.exe
1004	mscorsvw.exe
624	mscorsvw.exe
568	mscorsvw.exe
896	mscorsvw.exe
1172	mscorsvw.exe
1228	mscorsvw.exe
1556	mscorsvw.exe
924	mscorsvw.exe
976	mscorsvw.exe
328	mscorsvw.exe
1508	mscorsvw.exe
1280	mscorsvw.exe
1632	mscorsvw.exe
1040	mscorsvw.exe
1472	mscorsvw.exe
696	mscorsvw.exe
892	mscorsvw.exe
1016	mscorsvw.exe

Loads dropped DLL 30 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
892	mscorsvw.exe
892	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
1656	mscorsvw.exe
1656	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
1004	mscorsvw.exe
1004	mscorsvw.exe
568	mscorsvw.exe
568	mscorsvw.exe
1172	mscorsvw.exe
1172	mscorsvw.exe
1556	mscorsvw.exe
1556	mscorsvw.exe
976	mscorsvw.exe
976	mscorsvw.exe
1508	mscorsvw.exe
1508	mscorsvw.exe
1632	mscorsvw.exe
1632	mscorsvw.exe
1472	mscorsvw.exe
1472	mscorsvw.exe
892	mscorsvw.exe
892	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\E:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\K:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\S:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\Z:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\W:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\H:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\Q:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\Y:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\R:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\L:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\M:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\T:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\F:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\G:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\J:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\I:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\U:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\F:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\P:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\X:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\N:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened (read-only)	\??\O:	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ui0detect.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\alg.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\system32\fxssvc.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\dllhost.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\wbengine.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\system32\vds.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\vds.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\system32\vssvc.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\system32\msiexec.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\system32\snmptrap.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\system32\alg.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File created	\??\c:\windows\system32\msdtc.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Program Files\7-Zip\7z.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Program Files\7-Zip\7zFM.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	C:\Program Files\7-Zip\7zG.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	mscorsvw.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1ECAFB72-9B55-4DC7-A5A1-BC914C4D75BD}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3737.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5DB.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD07A.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2D87.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE283.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3303.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1744	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeManageVolumePrivilege	520	DllHost.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe
Token: SeShutdownPrivilege	1812	mscorsvw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1744	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
1744	2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1932	1812	mscorsvw.exe	32
PID 1812 wrote to memory of 1932	1812	mscorsvw.exe	32
PID 1812 wrote to memory of 1932	1812	mscorsvw.exe	32
PID 1812 wrote to memory of 640	1812	mscorsvw.exe	33
PID 1812 wrote to memory of 640	1812	mscorsvw.exe	33
PID 1812 wrote to memory of 640	1812	mscorsvw.exe	33
PID 1812 wrote to memory of 1532	1812	mscorsvw.exe	36
PID 1812 wrote to memory of 1532	1812	mscorsvw.exe	36
PID 1812 wrote to memory of 1532	1812	mscorsvw.exe	36
PID 1812 wrote to memory of 1820	1812	mscorsvw.exe	37
PID 1812 wrote to memory of 1820	1812	mscorsvw.exe	37
PID 1812 wrote to memory of 1820	1812	mscorsvw.exe	37
PID 1812 wrote to memory of 2044	1812	mscorsvw.exe	38
PID 1812 wrote to memory of 2044	1812	mscorsvw.exe	38
PID 1812 wrote to memory of 2044	1812	mscorsvw.exe	38
PID 1812 wrote to memory of 1084	1812	mscorsvw.exe	39
PID 1812 wrote to memory of 1084	1812	mscorsvw.exe	39
PID 1812 wrote to memory of 1084	1812	mscorsvw.exe	39
PID 1812 wrote to memory of 892	1812	mscorsvw.exe	40
PID 1812 wrote to memory of 892	1812	mscorsvw.exe	40
PID 1812 wrote to memory of 892	1812	mscorsvw.exe	40
PID 1812 wrote to memory of 1628	1812	mscorsvw.exe	41
PID 1812 wrote to memory of 1628	1812	mscorsvw.exe	41
PID 1812 wrote to memory of 1628	1812	mscorsvw.exe	41
PID 1812 wrote to memory of 1724	1812	mscorsvw.exe	42
PID 1812 wrote to memory of 1724	1812	mscorsvw.exe	42
PID 1812 wrote to memory of 1724	1812	mscorsvw.exe	42
PID 1812 wrote to memory of 1420	1812	mscorsvw.exe	43
PID 1812 wrote to memory of 1420	1812	mscorsvw.exe	43
PID 1812 wrote to memory of 1420	1812	mscorsvw.exe	43
PID 1812 wrote to memory of 1656	1812	mscorsvw.exe	44
PID 1812 wrote to memory of 1656	1812	mscorsvw.exe	44
PID 1812 wrote to memory of 1656	1812	mscorsvw.exe	44
PID 1812 wrote to memory of 1708	1812	mscorsvw.exe	45
PID 1812 wrote to memory of 1708	1812	mscorsvw.exe	45
PID 1812 wrote to memory of 1708	1812	mscorsvw.exe	45
PID 1812 wrote to memory of 1108	1812	mscorsvw.exe	46
PID 1812 wrote to memory of 1108	1812	mscorsvw.exe	46
PID 1812 wrote to memory of 1108	1812	mscorsvw.exe	46
PID 1812 wrote to memory of 1704	1812	mscorsvw.exe	47
PID 1812 wrote to memory of 1704	1812	mscorsvw.exe	47
PID 1812 wrote to memory of 1704	1812	mscorsvw.exe	47
PID 1812 wrote to memory of 1004	1812	mscorsvw.exe	48
PID 1812 wrote to memory of 1004	1812	mscorsvw.exe	48
PID 1812 wrote to memory of 1004	1812	mscorsvw.exe	48
PID 1812 wrote to memory of 624	1812	mscorsvw.exe	49
PID 1812 wrote to memory of 624	1812	mscorsvw.exe	49
PID 1812 wrote to memory of 624	1812	mscorsvw.exe	49
PID 1812 wrote to memory of 568	1812	mscorsvw.exe	50
PID 1812 wrote to memory of 568	1812	mscorsvw.exe	50
PID 1812 wrote to memory of 568	1812	mscorsvw.exe	50
PID 1812 wrote to memory of 896	1812	mscorsvw.exe	51
PID 1812 wrote to memory of 896	1812	mscorsvw.exe	51
PID 1812 wrote to memory of 896	1812	mscorsvw.exe	51
PID 1812 wrote to memory of 1172	1812	mscorsvw.exe	52
PID 1812 wrote to memory of 1172	1812	mscorsvw.exe	52
PID 1812 wrote to memory of 1172	1812	mscorsvw.exe	52
PID 1812 wrote to memory of 1228	1812	mscorsvw.exe	53
PID 1812 wrote to memory of 1228	1812	mscorsvw.exe	53
PID 1812 wrote to memory of 1228	1812	mscorsvw.exe	53
PID 1812 wrote to memory of 1556	1812	mscorsvw.exe	54
PID 1812 wrote to memory of 1556	1812	mscorsvw.exe	54
PID 1812 wrote to memory of 1556	1812	mscorsvw.exe	54
PID 1812 wrote to memory of 924	1812	mscorsvw.exe	55

C:\Users\Admin\AppData\Local\Temp\2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe
"C:\Users\Admin\AppData\Local\Temp\2a9d596b21e6826d18e80009a181733c4e1a381341a17d73d7b4c1155a6260cf.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:520

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 194 -NGENProcess 198 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 194 -NGENProcess 198 -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 198 -NGENProcess 1b0 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 254 -NGENProcess 228 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1b0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 264 -NGENProcess 228 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent a4 -NGENProcess 270 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 248 -NGENProcess 264 -Pipe a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 200 -NGENProcess a0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent a0 -NGENProcess 1b0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a0 -InterruptEvent 278 -NGENProcess 264 -Pipe a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 200 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent a0 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a0 -InterruptEvent 26c -NGENProcess 1b0 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess a0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 290 -NGENProcess 1b0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1b0 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 298 -NGENProcess a0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent a0 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a0 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
700KB

MD5
7ccf8db7f3b9f357ba3ac8ed19ec7b3d

SHA1
e93bb5f6d3327b869fbfe808fb73b5d733fdb1f7

SHA256
b0b9ee18c9e5088c6e39c3065c75b9aa883af26203950410336e9793b1a43c34

SHA512
22c1005e7cbc15d28e300512da864667bc48a1ea0cd0e1f401b967406481625d5899426ec02aae9f9b1275d2e9696f9682bceaf731806e3e1e01e1b170939397

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
1feae0cedfe7c13818670793ce02b162

SHA1
499e537f27d3e63e599b34071704ce476ab32160

SHA256
2b9ca5ee7437644ef994aff9d0e6c024d3bea3890805548fb1c8b74418e53f46

SHA512
0bf47031c4a2ad51bf797d3848476f6f39321baa44789f0ea7ff9977de5f9ea668d3a0a12ec65c295e64924927dabdf3ec2220bea37525cd85f1b43b7e76b4ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
642KB

MD5
05d556df916768f1fc5cd53ce09df6f9

SHA1
bca4be651ee40e9c020411c788f67ce5b1865c67

SHA256
719394bc1e9869e277f7074e4c7eddc6c509e4d69306adc26a0eb66c072caf5a

SHA512
20a38a6623fd02e2217b1c6c8a7159c6891c37eefeb151f018d664da008ef391f0a8331711e77ea64780edcf24faa0aa409cdf2e0e32c4abb3661c299f15a45c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
642KB

MD5
05d556df916768f1fc5cd53ce09df6f9

SHA1
bca4be651ee40e9c020411c788f67ce5b1865c67

SHA256
719394bc1e9869e277f7074e4c7eddc6c509e4d69306adc26a0eb66c072caf5a

SHA512
20a38a6623fd02e2217b1c6c8a7159c6891c37eefeb151f018d664da008ef391f0a8331711e77ea64780edcf24faa0aa409cdf2e0e32c4abb3661c299f15a45c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
619KB

MD5
92a62ceb97affc3dba648e00bb184122

SHA1
6383ee02973878e63c8e655d43e294988c171312

SHA256
bb22ff03a90543abd5f28763e2e0474aac749cd3b9a845f0a02b4bda901104db

SHA512
19c8b371c9e778eb1bdea10f2df4b31c9e095382f490d58dabad20626fed57065af1903812ccc50e2147a64ecca45d8d5302acd29fcd08aa867a89a0133068e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
619KB

MD5
92a62ceb97affc3dba648e00bb184122

SHA1
6383ee02973878e63c8e655d43e294988c171312

SHA256
bb22ff03a90543abd5f28763e2e0474aac749cd3b9a845f0a02b4bda901104db

SHA512
19c8b371c9e778eb1bdea10f2df4b31c9e095382f490d58dabad20626fed57065af1903812ccc50e2147a64ecca45d8d5302acd29fcd08aa867a89a0133068e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
650KB

MD5
7e43d291fe394781c4c71c26bde397d5

SHA1
d08d5e5928a8a11c52254ae2253da84d4ef2ed7b

SHA256
f91064abd7a09f3e705670dc0ae4dd6490210027d8c08d1b1e24f9afd197ecd4

SHA512
4681190db369847bd4b0c6aa7d4c455c568a7117cd83741fff18d0a15fff53ae54898cc646e4af535bfe132ad81a94d92508cb8c9bccf75cca98657644a22d5c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
650KB

MD5
7e43d291fe394781c4c71c26bde397d5

SHA1
d08d5e5928a8a11c52254ae2253da84d4ef2ed7b

SHA256
f91064abd7a09f3e705670dc0ae4dd6490210027d8c08d1b1e24f9afd197ecd4

SHA512
4681190db369847bd4b0c6aa7d4c455c568a7117cd83741fff18d0a15fff53ae54898cc646e4af535bfe132ad81a94d92508cb8c9bccf75cca98657644a22d5c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
569KB

MD5
53b3ab21af6c0f3ceae84825667dfa74

SHA1
41be9fa61c279510bda5537df2bb46e14a83e21f

SHA256
c5a274b2889533e1d28142dff59a0dbe6d3f5210f2f11c8f8dd1945a06d96752

SHA512
142330074ca345c614aa5ab660cc6c86da19aa6df4b64dbdc560cb7f739a0db51427f18ac369cbf414c46b3584a19c91a715b00af4e4f0502791f89f6bd87351

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
569KB

MD5
53b3ab21af6c0f3ceae84825667dfa74

SHA1
41be9fa61c279510bda5537df2bb46e14a83e21f

SHA256
c5a274b2889533e1d28142dff59a0dbe6d3f5210f2f11c8f8dd1945a06d96752

SHA512
142330074ca345c614aa5ab660cc6c86da19aa6df4b64dbdc560cb7f739a0db51427f18ac369cbf414c46b3584a19c91a715b00af4e4f0502791f89f6bd87351

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
700KB

MD5
8e660fc3f85501051b1f64e363ebe400

SHA1
f9d658d5e1ac526e5d7d47b234fe4841826bd38b

SHA256
9601b623650575c8d09fcca1e76f85dd00023ed9c2f140a7985efe708fe1e600

SHA512
086fe55b34836e3ec0a57ee975d7f91d0b3a6c70c87c885db5eeea6392c2989dff990c5085fd2c28e05dd9f01f8524f8bfefa4c5657bb4ae8bf1863fc8beb213

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
2bedd7335682c59a9f4c28f286d8788d

SHA1
0ccd59dddba217ff1315e240f4f7ca10a64d1ec4

SHA256
8195a8381c34dfd69f750f86f050810ae816a91b1e64542a66d7a54add802791

SHA512
33b338dee982b429766d2ccb629d9314a9f744d55d5ef11ef314a40e592e7c805a66afead7bef71142d25a2fd9fdb99edd27c9990b6c29410563338ea3eb21f4

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
790KB

MD5
7e4a06b725c6c231791ffd63babf0368

SHA1
f25eb4d8f08e3723153d1a86e0b53bd9b2b1b2c2

SHA256
63a999e05a42317d995cb50bdb2379fbe1de5e433eac89d74c7f361cdbc9a824

SHA512
ec8467af08c105958610e186b36c907f8f6be8b7cbc48868359b2f597cccc8607e84cf98afa09a9ef17618524c94178e83a500e57418d94ce7d442da5a4e7bc4

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.2MB

MD5
1d91cbb78077cac6138daa19dd025a1d

SHA1
1aa723f451c6f04805def11153f8c0bef0fabe5e

SHA256
f6b7a4df25b445f4512b97fca52f9f639828354504323cef2b0ca2f83f3a519c

SHA512
262931eb9286e3fc3d9c1aeb67e9106336573e5204dc08bdce569ef9bae0f3f5eff52464da54e69c0740ebb0b56778dbd908299ec910f55dce26012ee12e19fe

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
a32b09aed62d605cb7d9c03d01183fe4

SHA1
54f627aa5e79f408f06a3554cc20cb8b6d08bad8

SHA256
8a2f43b1de17f8446e535f179b55b1d18ee2c1606a178d1673d3855bd84244fb

SHA512
31873d3c59bc3e685c74a5742cd397455711343033129674c409d99444ef82a7bd57334e1e9bd8cd8d25922c9511fc5cde7868bf6ed86fa35f22ad8e435adf3f

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
684KB

MD5
8c62880ca6d94fd116abd3ef811fd49f

SHA1
fe1d117cb73934f6783e1d5f761d3d3945ff229b

SHA256
3c82e00a1ab8b0abf2dc2a3c2d485f71ce649029f4ee6005fcc5a6249f38ac5b

SHA512
a6031f2f7510de726485d7fc8abadc5b29bd10f74cc755a25db44be073461af88f8a1ff099762fcd5ebe0ba945d92b95feaa77a0472fe128f410c2d966181533

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
596KB

MD5
6f6871fafca513cadee2167860c5f23f

SHA1
c798fbb6f5d188f527ffbee8f0ce9973d9dc2b7f

SHA256
24ad1940f744f63bffc2d690b226efdcd9ae7bfe23c816b0a205ac95c9e06ffb

SHA512
926c6569af07e033ce5481c252750f331bd4cd2447e2a336e9f7ec08bed3e85ab5db68cda57c1e8e833e482de6f5d03595615e91d535221b27f975757821ce70

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
637KB

MD5
2616dabb44d9cca86ad2a183902d964e

SHA1
2dd5cbf86426b20daa56f0cded7a4bb029bb6a9a

SHA256
10e9272e173eaf12c7949bf89b526a74b08ae81efc39dd878aeca050a99d6b3e

SHA512
7881e3364c20078bd817f81109b9067f5cd59d562eb4e317ffe7a6caa32608700047284b4cb4689faa713b4bf6050689d24f94b72a95a9556461b57f73af56f8

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e35755c52ed8c59397a701aaf26ee8f1

SHA1
ee6950ea88d18a31f0be7423396b94c4ad3973af

SHA256
7bfe2da3dc1d0035a467e929945464ecb8e5cbe1694c8cfe759a157d75ce0699

SHA512
219a5ef9685f97f8eb8772112ece212b61a36f164a7a907d848867bf89699b5f0c57d8a0a680a0df94448d8b387762642056fb2b1dea4eda38fb6838af21c312

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
669KB

MD5
fb66d32dab4f0a151ce1d11228bf4059

SHA1
6316f05e9f68dafb5bfcdb0385e4e1cfb09c678c

SHA256
6714d7ea200626cb7d11524d6a0ccef7c42ed6c1228379180464415f0d838671

SHA512
d6a00692d95af28778eb95b943b95427ced032bb8f5b815158067b5566d133cacee1ecd8a6784d54d2f9d06825c58c5394ac6217082017ea5173ce43b9da9f00

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
698KB

MD5
b58d979c97d091ddb0572d4eba4a6bc8

SHA1
7481ab8a1b90214b1caf6d91bdc90dc62775c5ff

SHA256
204d3efc6fd8e330f6f39c9ba9f8838ad1ea0db8e4061fd8c169f282cbfa77c4

SHA512
ecf4065008954961e32b9f43e9996374952bd2714f18ed1e8b5ede63f96286d2dfe4d2a56159422ce75cf99404a9e6287bf8a6c92db68c5b98463ad6e71e1ea0

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
685KB

MD5
aed7a4d3fdd3c01ea119013eceee045c

SHA1
5ec8916ea56eb5ca8845489e81a1afc6ded39191

SHA256
13ee91f01d83b8a1fb276cf0b687298f7e6f554db5804d9e655eb227c88303be

SHA512
c2bd5b394f0cfc9182067112aa7abc564510a52196fa57953f1b69201bd66d132f7948d8f23d67726a87ccbc6783312944239b233fe8599b6ca076afd9b93061

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
574KB

MD5
b0a3ffde24fae93b36caf53672c31f68

SHA1
ca59b6087b7905be082e55538bba970ed0c38f0a

SHA256
c4168c044045354fc6f70102db6d1fa285504a9379eb5f527133418007927c18

SHA512
da64ef6d82b986f5b73fc46e75cd7c18f3662d22dafd69174fd20f4c3b466f8acb26b90a26f2d1c8f5ca5fba0816f346a10d0b14ef001b2fa3c08bfae626e048

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
600KB

MD5
c8c24d339f74920465e3318491634ecb

SHA1
bbf4ba4e37d2f384f619ecbbd52e8cfed813095e

SHA256
5ca77d55587b94beea68b2c4c48f0e20c2af3d5875cd42f6170959943e7dd2c5

SHA512
64b4320e880923050843662dd12ebf6d847e89202f38694383d568cb8eafbb424a30f427e9bd2cd75ad562f6fd9b14c330333fe2fa77adc2a749c0ab14a47b3f

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
252bdeb4db46de23f36289a160895388

SHA1
acefc6783953f82f1a7bacf9f2886f3aaf69af8d

SHA256
2cf32eff48461705f98e562b72dae4df152a5fe93d1f4070efdfc079caeb1f8e

SHA512
348ebd061e88aa44d159a034707e3d03812ca90893f0a612fb3f0d0b55854647ff0aeb0566d976714cfac843afe5bec96c33af459a0d05dc9d829a3a9bb9badb

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
ff1871533a761d7611010e0456aaa9ea

SHA1
f550487de57fcac738f81957e385eb2d055584d5

SHA256
a14a0de5293744c3dee81164c3b5e3aab258ae6342e3c5b6499131dd125fdbf7

SHA512
da3a8778d4828f2e29932ae9812ce763f93ff3d6decfd0543a14fd9f9f8fc497716e5a67bcb549185d9174afec7e1d6093a2048be177ef13ff7480d24855695a

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
758KB

MD5
10924f71d44245d91c920cbee5a46e36

SHA1
89fa1d5f3be62588634df2b28fed747bac00ef54

SHA256
8d127209b57cfd72ef7aa993b6b5d4f351439ff9dd56d3a9c867a4a8734cfeb7

SHA512
4ee50d42eba81af8bda611ebef475e56a4436ecaa163b3c1a547efd1d8e27a7091e3839097c73ce67209fd73165fd3a267f68582cd99049f8e5979ed8c015d07

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
3a9c573963954a6a5c7b1e90238a59d9

SHA1
932608c5701ab89d05a1f73847c2a7a4628d17f9

SHA256
e52462bc146ca8222f769a4ab65476faa6dc8517999f9bf21ca525f15c7b7798

SHA512
869f545e263dc03635636eb6a5161b2bac6b4fd1863336f80d92c90def1e8c62d37c872c2797de16a5acefebee64dac00cde5b77ca5903906b8a226f4be782fb

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
642KB

MD5
05d556df916768f1fc5cd53ce09df6f9

SHA1
bca4be651ee40e9c020411c788f67ce5b1865c67

SHA256
719394bc1e9869e277f7074e4c7eddc6c509e4d69306adc26a0eb66c072caf5a

SHA512
20a38a6623fd02e2217b1c6c8a7159c6891c37eefeb151f018d664da008ef391f0a8331711e77ea64780edcf24faa0aa409cdf2e0e32c4abb3661c299f15a45c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
642KB

MD5
05d556df916768f1fc5cd53ce09df6f9

SHA1
bca4be651ee40e9c020411c788f67ce5b1865c67

SHA256
719394bc1e9869e277f7074e4c7eddc6c509e4d69306adc26a0eb66c072caf5a

SHA512
20a38a6623fd02e2217b1c6c8a7159c6891c37eefeb151f018d664da008ef391f0a8331711e77ea64780edcf24faa0aa409cdf2e0e32c4abb3661c299f15a45c

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
9c6691f07944b0c12e2bafa503264482

SHA1
afb50370a04aba7ffff41eb508b673df27f91214

SHA256
bec6ecf0f76d14961a00e62be8a380237473aa5ca1468fb604a11b61fd1cd5f4

SHA512
86c94b8b629d05d39d06e3b4361acd5a900d06ca49d13117c8462a73945b4e1b0ee54b57c13d84d36ee7b80b019213c0a882ad0a284c181837ceafc0befccf45

Download Submit
\Windows\System32\dllhost.exe

Filesize
569KB

MD5
53b3ab21af6c0f3ceae84825667dfa74

SHA1
41be9fa61c279510bda5537df2bb46e14a83e21f

SHA256
c5a274b2889533e1d28142dff59a0dbe6d3f5210f2f11c8f8dd1945a06d96752

SHA512
142330074ca345c614aa5ab660cc6c86da19aa6df4b64dbdc560cb7f739a0db51427f18ac369cbf414c46b3584a19c91a715b00af4e4f0502791f89f6bd87351

Download Submit
\Windows\System32\dllhost.exe

Filesize
569KB

MD5
53b3ab21af6c0f3ceae84825667dfa74

SHA1
41be9fa61c279510bda5537df2bb46e14a83e21f

SHA256
c5a274b2889533e1d28142dff59a0dbe6d3f5210f2f11c8f8dd1945a06d96752

SHA512
142330074ca345c614aa5ab660cc6c86da19aa6df4b64dbdc560cb7f739a0db51427f18ac369cbf414c46b3584a19c91a715b00af4e4f0502791f89f6bd87351

Download Submit
\Windows\System32\dllhost.exe

Filesize
569KB

MD5
53b3ab21af6c0f3ceae84825667dfa74

SHA1
41be9fa61c279510bda5537df2bb46e14a83e21f

SHA256
c5a274b2889533e1d28142dff59a0dbe6d3f5210f2f11c8f8dd1945a06d96752

SHA512
142330074ca345c614aa5ab660cc6c86da19aa6df4b64dbdc560cb7f739a0db51427f18ac369cbf414c46b3584a19c91a715b00af4e4f0502791f89f6bd87351

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5DB.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5DB.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD07A.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD07A.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE283.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE283.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEEC3.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEEC3.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF7D7.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF7D7.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
memory/328-227-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/520-113-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/520-107-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/520-58-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download
memory/520-120-0x0000000004150000-0x0000000004158000-memory.dmp

Filesize
32KB

Download
memory/520-119-0x0000000100000000-0x00000001001E0000-memory.dmp

Filesize
1.9MB

Download
memory/520-123-0x0000000100000000-0x00000001001E0000-memory.dmp

Filesize
1.9MB

Download
memory/568-205-0x000007FEF2A80000-0x000007FEF34A3000-memory.dmp

Filesize
10.1MB

Download
memory/568-206-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/624-200-0x000007FEF2270000-0x000007FEF2C93000-memory.dmp

Filesize
10.1MB

Download
memory/624-204-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/624-201-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/640-85-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/696-244-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/696-242-0x000007FEF2A40000-0x000007FEF3463000-memory.dmp

Filesize
10.1MB

Download
memory/760-64-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/760-62-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/812-67-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/812-88-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/892-246-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/892-245-0x000007FEF2A80000-0x000007FEF34A3000-memory.dmp

Filesize
10.1MB

Download
memory/892-148-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/892-248-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/892-141-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/892-143-0x000007FEF2A80000-0x000007FEF34A3000-memory.dmp

Filesize
10.1MB

Download
memory/896-209-0x000007FEF2270000-0x000007FEF2C93000-memory.dmp

Filesize
10.1MB

Download
memory/896-208-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/896-211-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/924-222-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/976-223-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/976-225-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1000-76-0x0000000100000000-0x00000001001E0000-memory.dmp

Filesize
1.9MB

Download
memory/1000-91-0x0000000100000000-0x00000001001E0000-memory.dmp

Filesize
1.9MB

Download
memory/1004-194-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1004-199-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1004-193-0x000007FEF2A80000-0x000007FEF34A3000-memory.dmp

Filesize
10.1MB

Download
memory/1016-249-0x000007FEF2270000-0x000007FEF2C93000-memory.dmp

Filesize
10.1MB

Download
memory/1016-250-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1040-234-0x000007FEF2050000-0x000007FEF2A73000-memory.dmp

Filesize
10.1MB

Download
memory/1040-235-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1040-237-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1084-142-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1084-138-0x000007FEF2050000-0x000007FEF2A73000-memory.dmp

Filesize
10.1MB

Download
memory/1108-186-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1108-181-0x000007FEF2270000-0x000007FEF2C93000-memory.dmp

Filesize
10.1MB

Download
memory/1172-212-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1172-213-0x000007FEF2A80000-0x000007FEF34A3000-memory.dmp

Filesize
10.1MB

Download
memory/1172-215-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1228-216-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1228-218-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1280-231-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1420-168-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1472-241-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1472-238-0x000007FEF2270000-0x000007FEF2C93000-memory.dmp

Filesize
10.1MB

Download
memory/1472-239-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1508-229-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1532-128-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1556-220-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1628-153-0x000000001CAC0000-0x000000001CDBF000-memory.dmp

Filesize
3.0MB

Download
memory/1628-151-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1628-150-0x000007FEF3960000-0x000007FEF4383000-memory.dmp

Filesize
10.1MB

Download
memory/1628-152-0x000007FEEE060000-0x000007FEEF0F6000-memory.dmp

Filesize
16.6MB

Download
memory/1628-156-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1632-233-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1656-170-0x000007FEF2270000-0x000007FEF2C93000-memory.dmp

Filesize
10.1MB

Download
memory/1656-175-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1656-169-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1704-189-0x000007FEEE060000-0x000007FEEF0F6000-memory.dmp

Filesize
16.6MB

Download
memory/1704-192-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1704-188-0x000007FEF3150000-0x000007FEF3B73000-memory.dmp

Filesize
10.1MB

Download
memory/1704-187-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1708-180-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1708-176-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1724-158-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1724-159-0x000000001CAE0000-0x000000001CDDF000-memory.dmp

Filesize
3.0MB

Download
memory/1724-164-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1724-157-0x000007FEEE6D0000-0x000007FEEF0F3000-memory.dmp

Filesize
10.1MB

Download
memory/1744-55-0x0000000001000000-0x00000000011E4000-memory.dmp

Filesize
1.9MB

Download
memory/1744-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1744-70-0x0000000001000000-0x00000000011E4000-memory.dmp

Filesize
1.9MB

Download
memory/1812-90-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1812-71-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1820-129-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1820-132-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1932-80-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1932-84-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2044-137-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2044-133-0x000007FEF2A80000-0x000007FEF34A3000-memory.dmp

Filesize
10.1MB

Download
memory/2044-134-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download