e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272

Analysis

max time kernel
134s
max time network
171s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
Size

985KB
MD5

0e92716af7b16fa6eef8a16570324970
SHA1

b72491f524ed0ecb6a079b940275996102c2ca5f
SHA256

e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272
SHA512

818693770e6f55fef439f07218730cc2e5d0b7d3f17db220f9668164edfcfd058f3a6ef165a9562da3054b6ecb8622b540a25c6303abdd0ae48d5b420f2255fd
SSDEEP

12288:/SoO2yqUoh8jBYrA+1efkraRwkM8rlqsNfAIrau0sNMTho2Of3xKz7:/rO2GVBY+f9anwIsknsCoo

Score

8^/10

discovery evasion persistence trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 16 IoCs

pid	Process
1648	mscorsvw.exe
460	Process not Found
2036	mscorsvw.exe
1712	mscorsvw.exe
1076	mscorsvw.exe
1784	dllhost.exe
964	epyfy.exe
1672	mscorsvw.exe
1688	elevation_service.exe
1552	IEEtwCollector.exe
1116	mscorsvw.exe
1688	mscorsvw.exe
852	mscorsvw.exe
1336	mscorsvw.exe
468	mscorsvw.exe
2032	mscorsvw.exe

Deletes itself 1 IoCs

pid	Process
432	cmd.exe

Loads dropped DLL 8 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
460	Process not Found
460	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000\EnableNotifications = "0"	mscorsvw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\epyfy.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Ahef\\epyfy.exe"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\F:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\ui0detect.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\system32\pnmkfgbf.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\fcjknabl.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\vds.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\alg.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\locator.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\SysWOW64\madoagfi.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\system32\jdpamdhl.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\system32\elignlkm.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\olmmmknh.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\system32\hfhlllml.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\SysWOW64\gpfppccl.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\system32\ghgmmlnm.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\system32\dgmjiqlk.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\system32\bbiibgbd.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\system32\fgbplhqg.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\jhpafeja.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\klchnkgb.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\npjnqeik.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\lmmqhaam.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\program files (x86)\microsoft office\office14\fnlkcqlo.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	mscorsvw.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\pjeniimo.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D161B4FF-77D4-453B-8AE5-94AB9EC90D81}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File created	\??\c:\windows\servicing\hmcckgcf.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\bjejmkce.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\ehome\kdifccfc.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\emegggoj.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\jhibkfde.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	\??\c:\windows\servicing\fonngqok.tmp	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\aoniaimp.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	\??\c:\windows\ehome\joebmnhe.tmp	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D161B4FF-77D4-453B-8AE5-94AB9EC90D81}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\079E7319-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
964	epyfy.exe
1072	explorer.exe
964	epyfy.exe
1072	explorer.exe
1072	explorer.exe
1076	mscorsvw.exe
1072	explorer.exe
1072	explorer.exe
1072	explorer.exe
1072	explorer.exe
1076	mscorsvw.exe
1072	explorer.exe
1072	explorer.exe
1072	explorer.exe
1072	explorer.exe
1076	mscorsvw.exe
1072	explorer.exe
1072	explorer.exe
1072	explorer.exe
1072	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeSecurityPrivilege	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
Token: SeTakeOwnershipPrivilege	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1076	mscorsvw.exe
Token: SeManageVolumePrivilege	552	WinMail.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe
Token: SeShutdownPrivilege	1076	mscorsvw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
552	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
552	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
552	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 964	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe	32
PID 912 wrote to memory of 964	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe	32
PID 912 wrote to memory of 964	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe	32
PID 912 wrote to memory of 964	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe	32
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 964 wrote to memory of 1072	964	epyfy.exe	33
PID 1076 wrote to memory of 1672	1076	mscorsvw.exe	34
PID 1076 wrote to memory of 1672	1076	mscorsvw.exe	34
PID 1076 wrote to memory of 1672	1076	mscorsvw.exe	34
PID 964 wrote to memory of 1092	964	epyfy.exe	3
PID 964 wrote to memory of 1092	964	epyfy.exe	3
PID 964 wrote to memory of 1092	964	epyfy.exe	3
PID 964 wrote to memory of 1092	964	epyfy.exe	3
PID 964 wrote to memory of 1092	964	epyfy.exe	3
PID 964 wrote to memory of 1180	964	epyfy.exe	10
PID 964 wrote to memory of 1180	964	epyfy.exe	10
PID 964 wrote to memory of 1180	964	epyfy.exe	10
PID 964 wrote to memory of 1180	964	epyfy.exe	10
PID 964 wrote to memory of 1180	964	epyfy.exe	10
PID 964 wrote to memory of 1208	964	epyfy.exe	9
PID 964 wrote to memory of 1208	964	epyfy.exe	9
PID 964 wrote to memory of 1208	964	epyfy.exe	9
PID 964 wrote to memory of 1208	964	epyfy.exe	9
PID 964 wrote to memory of 1208	964	epyfy.exe	9
PID 964 wrote to memory of 912	964	epyfy.exe	11
PID 964 wrote to memory of 912	964	epyfy.exe	11
PID 964 wrote to memory of 912	964	epyfy.exe	11
PID 964 wrote to memory of 912	964	epyfy.exe	11
PID 964 wrote to memory of 912	964	epyfy.exe	11
PID 1072 wrote to memory of 964	1072	explorer.exe	32
PID 1072 wrote to memory of 964	1072	explorer.exe	32
PID 1072 wrote to memory of 964	1072	explorer.exe	32
PID 1072 wrote to memory of 964	1072	explorer.exe	32
PID 1072 wrote to memory of 964	1072	explorer.exe	32
PID 1076 wrote to memory of 1116	1076	mscorsvw.exe	38
PID 1076 wrote to memory of 1116	1076	mscorsvw.exe	38
PID 1076 wrote to memory of 1116	1076	mscorsvw.exe	38
PID 964 wrote to memory of 552	964	epyfy.exe	36
PID 964 wrote to memory of 552	964	epyfy.exe	36
PID 964 wrote to memory of 552	964	epyfy.exe	36
PID 964 wrote to memory of 552	964	epyfy.exe	36
PID 964 wrote to memory of 552	964	epyfy.exe	36
PID 912 wrote to memory of 432	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe	39
PID 912 wrote to memory of 432	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe	39
PID 912 wrote to memory of 432	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe	39
PID 912 wrote to memory of 432	912	e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe	39
PID 1076 wrote to memory of 1688	1076	mscorsvw.exe	41
PID 1076 wrote to memory of 1688	1076	mscorsvw.exe	41
PID 1076 wrote to memory of 1688	1076	mscorsvw.exe	41
PID 1076 wrote to memory of 852	1076	mscorsvw.exe	42
PID 1076 wrote to memory of 852	1076	mscorsvw.exe	42
PID 1076 wrote to memory of 852	1076	mscorsvw.exe	42
PID 1076 wrote to memory of 1336	1076	mscorsvw.exe	43
PID 1076 wrote to memory of 1336	1076	mscorsvw.exe	43
PID 1076 wrote to memory of 1336	1076	mscorsvw.exe	43
PID 1076 wrote to memory of 468	1076	mscorsvw.exe	44
PID 1076 wrote to memory of 468	1076	mscorsvw.exe	44

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe
  "C:\Users\Admin\AppData\Local\Temp\e0e73a52224d1b81302388cd627fea2a83a7d2b7fe106e89145e902528d19272.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Roaming\Ahef\epyfy.exe
    "C:\Users\Admin\AppData\Roaming\Ahef\epyfy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbc873559.bat"
    3⤵
    - Deletes itself
    PID:432

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1648

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 19c -NGENProcess 1a0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 220 -NGENProcess 228 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 1dc -NGENProcess 1b0 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 264 -NGENProcess 234 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1b0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 234 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 258 -NGENProcess 234 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 280 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 268 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 188 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 188 -NGENProcess 1dc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 188 -InterruptEvent 290 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 1dc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1dc -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2a0 -NGENProcess 288 -Pipe 188 -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 110 -InterruptEvent 2a8 -NGENProcess 2c4 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 254 -NGENProcess 2cc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2cc -NGENProcess 110 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 254 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e0 -NGENProcess 110 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 110 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 110 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 274 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2f0 -NGENProcess 2e0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1264

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1784

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
f9c372a72831f0cfd6feea6d933b78ff

SHA1
f0ccfe709081562189846d6fc4b7cc4e97fd8bd3

SHA256
75343d787832c630e6c55b8368139668aebc806ef05914cdd0c1fd0fa82bad7a

SHA512
90e1f1d74145f85701877b085d0f669a08b568030428176a6033a036597b188d094397e89717dac38bc4ba632eba8cce31a417b99a7f86446cc280fbe0bbf1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpbc873559.bat

Filesize
307B

MD5
f75ac0f690f37b89b4259363064a1a54

SHA1
7f06ec8211b65f607cc217f33c4a389756040c5a

SHA256
9410c1bfbb60f03c4368aa45cbdc30071aca31375b870589b695af809266765c

SHA512
84593f282be39af3b539504142200adc0562dcac2ca4490659eb3e59b979ff6fabf73920b991fa619d6e369df9dc6e71884aee88c29c5b52d1907127fb730eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Ahef\epyfy.exe

Filesize
985KB

MD5
e8e1ec047f7d8b87ee93276f7da38fb4

SHA1
db85132e7aaa7446fcc77cff49c6367bc391e857

SHA256
406b4e8bae1c192859e1c6589f0dbf97de0724d0666bcfc356119cd285118d15

SHA512
6ec6235aa2dadd02dfe85f714a0f27456e772d0c9062e30d1e83bec34a7e0415e86d8a9a5fcece868c869489017d86d00d3eac0cff22980a6b1210e27116c030

Download Submit
C:\Users\Admin\AppData\Roaming\Ahef\epyfy.exe

Filesize
985KB

MD5
e8e1ec047f7d8b87ee93276f7da38fb4

SHA1
db85132e7aaa7446fcc77cff49c6367bc391e857

SHA256
406b4e8bae1c192859e1c6589f0dbf97de0724d0666bcfc356119cd285118d15

SHA512
6ec6235aa2dadd02dfe85f714a0f27456e772d0c9062e30d1e83bec34a7e0415e86d8a9a5fcece868c869489017d86d00d3eac0cff22980a6b1210e27116c030

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
b5fa1b92f77d19347014dd69ab7b20f7

SHA1
bd25f2deb6fff5f46f1e332d7951dda8e44ba38a

SHA256
d64604d470753cd034fff47525b34c0eedd9cedc97ed2cc9305acbfb94f011c3

SHA512
4a73a3d55f01ae8084474cdcf1cd6f47153e93c18e6fd55a9c4934a4ec7a628ca68fc9c7fbcf97026cfe2dd41cbf05a51a6eb94bc5c9191d663c43edbac3c28e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
b5fa1b92f77d19347014dd69ab7b20f7

SHA1
bd25f2deb6fff5f46f1e332d7951dda8e44ba38a

SHA256
d64604d470753cd034fff47525b34c0eedd9cedc97ed2cc9305acbfb94f011c3

SHA512
4a73a3d55f01ae8084474cdcf1cd6f47153e93c18e6fd55a9c4934a4ec7a628ca68fc9c7fbcf97026cfe2dd41cbf05a51a6eb94bc5c9191d663c43edbac3c28e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
637KB

MD5
885ebf2bf020482dba5a10a226e05541

SHA1
c0e1e09c611043c3f9fcce6989627fa1e63f9e36

SHA256
41e825d875c3cb7d0ea0375968ca603ef31c7e86f347d2bb4cd02d1f670e964d

SHA512
91e94cf4ae5a54b69011717e9443a9091abf0e003a1b0799a2aaa74471e97b433a5ccb1c641f2519a9ce91384def63d4816a507af163f852a2e66193fb2fb0fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
637KB

MD5
885ebf2bf020482dba5a10a226e05541

SHA1
c0e1e09c611043c3f9fcce6989627fa1e63f9e36

SHA256
41e825d875c3cb7d0ea0375968ca603ef31c7e86f347d2bb4cd02d1f670e964d

SHA512
91e94cf4ae5a54b69011717e9443a9091abf0e003a1b0799a2aaa74471e97b433a5ccb1c641f2519a9ce91384def63d4816a507af163f852a2e66193fb2fb0fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
a1ec9925adf5f939f185c8f414e9f2c9

SHA1
535dc7813b1083cad711817fdb090a3169f5eddc

SHA256
2292c9b87a9d9e1ec51a2d303b69f1ba07de2916d68be8007eece52de2017b9a

SHA512
061ee1110dfbbf220d6b0d948bd4aa8d017ac5cbf70aad8ff24dc9cc464f794ffb422d961fd92f453e23eac274461e423e55e21a73c941c7d5e6c914323752af

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
589KB

MD5
4b73853acb885e85a9c1e1db605d88e9

SHA1
85d41ef7f392185d6830162413459da71e826b23

SHA256
b6985dac8d9a027bf929fb42f8edf8c8015f1d6020b90aab519c445f84b3b706

SHA512
6387c00abf4d8c634d6b18c50850b98bc932badf3cf18271d22dabae9fecaabfa15f7c315ac064804d8143e8a1f195c00f3b9c89fca1b33819ca42f0bdfdcc1f

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
686KB

MD5
71a74621d70b6dbb5d60fd28d0512d8a

SHA1
8fff211754d0022bc6c50c41d99887c970370e73

SHA256
0236d3edca6a2454e92b88192a190761c4795e5dd9e3db9e80e01fcb2bd9a192

SHA512
f393fb955e6c5ead791107b4f36a874ee1bd234b484fdd26bce2bcebf006a25d51f04b513bfe477023b875acd6b8a32af63d9511486e22b3ead335ef4e42e419

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
718KB

MD5
e6f06e4d23026ea0852b95093721e865

SHA1
b78e17fe7a8617ce2278ebb0e15b3985113300f3

SHA256
b3b5f7ebe8fe1dab080bcca79fa0eba56ab3355a5164c656b820691c2628463b

SHA512
a6d8b17d315eb7a7a94cbce76ec756e86f081981cf1fb8ff6b523dc5182178dc298901d76172838a2fe29a94252b1e25a23be64aac84beafda6a34dea1b2ad88

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
c0fc68717ecd181d71b930c770cf65f0

SHA1
bb2d5f594a9f2a3e136fb0a7bc863b70bd64f994

SHA256
cb009c870814e33f125821ae96c33f020d16b149de09e4b1334cb5c1ad49a651

SHA512
ffb6d66612bc74ee46aa00b22b7145520e02ac350a3b0d4fcbd33ffe232c0eab72880c24a663a7498d097ca3c29f2e247426447308ebbc3a67df178439d17a83

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
808KB

MD5
b6fe2a177da794080c47d6280f0966bf

SHA1
8da0567da47f687acaf92cbf7858af3756134247

SHA256
8cea7ba7d012a5e61701358569fddaa353334efd01e721afb6084e4eb1f57e9b

SHA512
be1560e1332ee8a80a7bc92573e51473fb6c7d23cba41211b982e04363af1dc88aaaf8b8bdc967985cfc9b00e238d5556e1afcfc54e6aa22819b457cbf26ee16

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.3MB

MD5
6a0a53065ea40a88b54347e7150af858

SHA1
fb5dc993f4689307ef321cc28c59faadbb333695

SHA256
3811547371b050eff45bc334aa8883742087c259c31360128e734324021c55e8

SHA512
b96dde5bdc36237cdf5d3bb40ded19f47f62d71872157a52f8da42203c81ef9dbc125ee5292aababa4ed7b9635b15f155bfd359a7bf10e6406096d7ca34017d8

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
f9c372a72831f0cfd6feea6d933b78ff

SHA1
f0ccfe709081562189846d6fc4b7cc4e97fd8bd3

SHA256
75343d787832c630e6c55b8368139668aebc806ef05914cdd0c1fd0fa82bad7a

SHA512
90e1f1d74145f85701877b085d0f669a08b568030428176a6033a036597b188d094397e89717dac38bc4ba632eba8cce31a417b99a7f86446cc280fbe0bbf1dc

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
466b7e9956a4e532c9f5346a4d4b509e

SHA1
d59abaeafa665cd0a882703883f377cc0fa33fa9

SHA256
c8fe5019f8ad45359521e0e70ee6536ed187990cff5eb4c1af68c1c98b0dd979

SHA512
9ffa5483ab4de4eafff88293f90b957bbe247028465288beff4b5ae67d5dfdad94cf5e01f94536e5b5908bb1250e7b089db23dd7b9acec8084e6f5da5c049698

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
703KB

MD5
cc91091661ca47d378e2f9a3f31ba8f1

SHA1
f1db1117619993fd5c4474058f9b5813eb4abb71

SHA256
7c364c3defe781207e2244a37df36e6de4b7069194b1f6781f9d80bdf7b2a09b

SHA512
3c193b9f3db1a216cf9016819430574d9b8b3786f388c68282413ff8bc447948ab8feb34e5481dd152bd31ec49c871e47347aa6d2b8e809f0dbaadcac7a85ba8

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
615KB

MD5
ae34644b950c7eb27e507cbf1d66af89

SHA1
113ac1658110b13bbfb17ac8a4e443dd1c52e0ef

SHA256
717aa94e2ff692f2d713c228e6c8b802c870d3df474574c23d28c36f47a5c4a0

SHA512
06ee49faf439ad4f161301c9fc8cc5fc29c27870201b1a9b499ffb115e6c2698811764ca243780909f230745c1e7af07eb6ac409da7f5560cd38b40f69c377d2

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
a1ec9925adf5f939f185c8f414e9f2c9

SHA1
535dc7813b1083cad711817fdb090a3169f5eddc

SHA256
2292c9b87a9d9e1ec51a2d303b69f1ba07de2916d68be8007eece52de2017b9a

SHA512
061ee1110dfbbf220d6b0d948bd4aa8d017ac5cbf70aad8ff24dc9cc464f794ffb422d961fd92f453e23eac274461e423e55e21a73c941c7d5e6c914323752af

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
656KB

MD5
b499e2df96384788fca612e4a5c75d5d

SHA1
733c7f8e0ec57b30faa402125f0fe5ae866f78a5

SHA256
091bad4e29a7484eb19229ab6225898439aee3d94dd3957c1c06a7fdd01d04e2

SHA512
b921f0ae2be2481937fffbbb6b09053d13141678dea40146c044599666cafe0f414c8133a60412c8bf26a94e14ddac6569d7377fd94cc93211feea95d8220e04

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
840784ce2e9587d4a3c8ce809d6e7410

SHA1
60d86aac71ad49485d68cf2f845d83900094af09

SHA256
1d4bafefea64b19effaa2bc210c70722812271e071fdb9821034e247171e6f86

SHA512
b4c6645ca621800be56429653cff9e5db4cadb0ddaf8c1eb5180e7795b5ea3e64f4b559a65b4dc0037f6c2fe2968fe2817d45a319cdc91c0802a67cd9b683d30

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
686KB

MD5
71a74621d70b6dbb5d60fd28d0512d8a

SHA1
8fff211754d0022bc6c50c41d99887c970370e73

SHA256
0236d3edca6a2454e92b88192a190761c4795e5dd9e3db9e80e01fcb2bd9a192

SHA512
f393fb955e6c5ead791107b4f36a874ee1bd234b484fdd26bce2bcebf006a25d51f04b513bfe477023b875acd6b8a32af63d9511486e22b3ead335ef4e42e419

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
717KB

MD5
bd9a6decb91b86608d21c8c830efe32d

SHA1
9f0c64e4152fdf4a7e361a8602e6f31071384b26

SHA256
79013c271c507651617c89ccc9cd453722ec2dc5902a444fcb6d08daa69556d1

SHA512
f82adf16a90449dd07d032be274d63b760237b3a8c3d02ebad4ac5ad53d7dda02a65b125fd39e79a16fbe5037b741159bd946034752a87e92c5fbb0a0c912815

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
703KB

MD5
1c634afad08ff3b799f3a02903e5bfe0

SHA1
62fe1c7611b936c21eaa121e00149240f002b6b1

SHA256
f50290082ee870187845988a208658d908207e21eb03624e3968e93a5f0ebd9a

SHA512
e607cf299838baf29e1afa252a10ce46dfd7d9c2a80b5d11d32ea1665de2c3acbfea147afded97ab2fc45f627351159c4d68d464cec505ebc09da0b3b1e4580e

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
593KB

MD5
99dc1ceee134d520f1aff9c7e96a9b1b

SHA1
c55afe83cd25bab4ae577da4deb723094dc93348

SHA256
19328293c2c708e3bf8e1941ce708d51d5351ad58408bd413b51cad894d052ef

SHA512
4d33e2d19ef8cbcc1b430da4e1c75fc8e82ae9ddeb13c72ee1d4c390532e42a43faf516df341886780ad42a1e9db9fe658f26b97545cfcc7318409a4f2189942

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
619KB

MD5
ce498b744eecb011ed6f9293d196df47

SHA1
eea314b57c006a8222510865747b06b438b36740

SHA256
2567291d08b3693544a2723c5fedcb0d7364454271ffd143da54bdbe0650ef87

SHA512
444e3a64a73fbcb5c98400a7caab57179a13c0691b33a3d6aca02c159857958bdf555e28ecdcaaf7812d85b0a45d4214a208d0984bcf64cf00871966826b4ca6

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
78373a57dc1008ac003555bbdf0d5477

SHA1
4a60a96e61724a6838d30b25708a94e12e5ac7cc

SHA256
96ba3ccce5e75ea513f52fe836bf0f853a83d7508fdc57e928741e3ad66699a2

SHA512
8cc0a7144c10c22ac81c32f1fc50ea3223b12dd0707d4af88c04a8cde271e433b8201c8eaf353b40a19b454061bdc54b2fc6abda3ea07dbf45e0a03d74bcf034

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
f9c372a72831f0cfd6feea6d933b78ff

SHA1
f0ccfe709081562189846d6fc4b7cc4e97fd8bd3

SHA256
75343d787832c630e6c55b8368139668aebc806ef05914cdd0c1fd0fa82bad7a

SHA512
90e1f1d74145f85701877b085d0f669a08b568030428176a6033a036597b188d094397e89717dac38bc4ba632eba8cce31a417b99a7f86446cc280fbe0bbf1dc

Download Submit
\Users\Admin\AppData\Roaming\Ahef\epyfy.exe

Filesize
985KB

MD5
e8e1ec047f7d8b87ee93276f7da38fb4

SHA1
db85132e7aaa7446fcc77cff49c6367bc391e857

SHA256
406b4e8bae1c192859e1c6589f0dbf97de0724d0666bcfc356119cd285118d15

SHA512
6ec6235aa2dadd02dfe85f714a0f27456e772d0c9062e30d1e83bec34a7e0415e86d8a9a5fcece868c869489017d86d00d3eac0cff22980a6b1210e27116c030

Download Submit
\Users\Admin\AppData\Roaming\Ahef\epyfy.exe

Filesize
985KB

MD5
e8e1ec047f7d8b87ee93276f7da38fb4

SHA1
db85132e7aaa7446fcc77cff49c6367bc391e857

SHA256
406b4e8bae1c192859e1c6589f0dbf97de0724d0666bcfc356119cd285118d15

SHA512
6ec6235aa2dadd02dfe85f714a0f27456e772d0c9062e30d1e83bec34a7e0415e86d8a9a5fcece868c869489017d86d00d3eac0cff22980a6b1210e27116c030

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
b5fa1b92f77d19347014dd69ab7b20f7

SHA1
bd25f2deb6fff5f46f1e332d7951dda8e44ba38a

SHA256
d64604d470753cd034fff47525b34c0eedd9cedc97ed2cc9305acbfb94f011c3

SHA512
4a73a3d55f01ae8084474cdcf1cd6f47153e93c18e6fd55a9c4934a4ec7a628ca68fc9c7fbcf97026cfe2dd41cbf05a51a6eb94bc5c9191d663c43edbac3c28e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
b5fa1b92f77d19347014dd69ab7b20f7

SHA1
bd25f2deb6fff5f46f1e332d7951dda8e44ba38a

SHA256
d64604d470753cd034fff47525b34c0eedd9cedc97ed2cc9305acbfb94f011c3

SHA512
4a73a3d55f01ae8084474cdcf1cd6f47153e93c18e6fd55a9c4934a4ec7a628ca68fc9c7fbcf97026cfe2dd41cbf05a51a6eb94bc5c9191d663c43edbac3c28e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
48b8a147bd7311b7088fec591cdaa91f

SHA1
afe464cffd01f46aa5d92cad06b951276aed1b03

SHA256
241d3244c4a947d566e2c95e8adba86c1d608d6a39f685ba59e440d5ba9deb46

SHA512
f41f7a5b4d2f917de4456fb1d9b06a1dcaab61c8ea37a2333e519ed8791e8674c93e5b82c508335281649374bc8d08745eaf61277e4cfaf86fbace53d68714a6

Download Submit
\Windows\System32\dllhost.exe

Filesize
589KB

MD5
4b73853acb885e85a9c1e1db605d88e9

SHA1
85d41ef7f392185d6830162413459da71e826b23

SHA256
b6985dac8d9a027bf929fb42f8edf8c8015f1d6020b90aab519c445f84b3b706

SHA512
6387c00abf4d8c634d6b18c50850b98bc932badf3cf18271d22dabae9fecaabfa15f7c315ac064804d8143e8a1f195c00f3b9c89fca1b33819ca42f0bdfdcc1f

Download Submit
\Windows\System32\dllhost.exe

Filesize
589KB

MD5
4b73853acb885e85a9c1e1db605d88e9

SHA1
85d41ef7f392185d6830162413459da71e826b23

SHA256
b6985dac8d9a027bf929fb42f8edf8c8015f1d6020b90aab519c445f84b3b706

SHA512
6387c00abf4d8c634d6b18c50850b98bc932badf3cf18271d22dabae9fecaabfa15f7c315ac064804d8143e8a1f195c00f3b9c89fca1b33819ca42f0bdfdcc1f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
686KB

MD5
71a74621d70b6dbb5d60fd28d0512d8a

SHA1
8fff211754d0022bc6c50c41d99887c970370e73

SHA256
0236d3edca6a2454e92b88192a190761c4795e5dd9e3db9e80e01fcb2bd9a192

SHA512
f393fb955e6c5ead791107b4f36a874ee1bd234b484fdd26bce2bcebf006a25d51f04b513bfe477023b875acd6b8a32af63d9511486e22b3ead335ef4e42e419

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP45E7.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP45E7.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5449.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5449.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5909.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5909.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5C92.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5C92.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6079.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6079.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
memory/328-269-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/468-207-0x000007FEF2FA0000-0x000007FEF39C3000-memory.dmp

Filesize
10.1MB

Download
memory/468-209-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/552-184-0x00000000046C0000-0x00000000046F7000-memory.dmp

Filesize
220KB

Download
memory/552-107-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/552-181-0x00000000046C0000-0x00000000046F7000-memory.dmp

Filesize
220KB

Download
memory/552-183-0x00000000046C0000-0x00000000046F7000-memory.dmp

Filesize
220KB

Download
memory/552-121-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/552-110-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/552-108-0x000007FEF6041000-0x000007FEF6043000-memory.dmp

Filesize
8KB

Download
memory/564-280-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/592-282-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/780-246-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/852-202-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/912-174-0x0000000002E10000-0x0000000003057000-memory.dmp

Filesize
2.3MB

Download
memory/912-153-0x0000000002360000-0x0000000002397000-memory.dmp

Filesize
220KB

Download
memory/912-57-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/912-173-0x0000000002E10000-0x0000000003057000-memory.dmp

Filesize
2.3MB

Download
memory/912-56-0x0000000001F50000-0x0000000002196000-memory.dmp

Filesize
2.3MB

Download
memory/912-161-0x0000000002360000-0x0000000002397000-memory.dmp

Filesize
220KB

Download
memory/912-86-0x0000000002E10000-0x0000000003057000-memory.dmp

Filesize
2.3MB

Download
memory/912-70-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/912-154-0x0000000002360000-0x0000000002397000-memory.dmp

Filesize
220KB

Download
memory/912-55-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/912-151-0x0000000002360000-0x0000000002397000-memory.dmp

Filesize
220KB

Download
memory/912-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/912-85-0x0000000002E10000-0x0000000003057000-memory.dmp

Filesize
2.3MB

Download
memory/912-187-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/964-157-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/964-88-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/964-186-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/964-158-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/964-159-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/964-160-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/964-175-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/964-87-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/964-162-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/1072-178-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1072-93-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1072-105-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1072-94-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1072-89-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1072-97-0x0000000074861000-0x0000000074863000-memory.dmp

Filesize
8KB

Download
memory/1072-91-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1076-118-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1076-74-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1084-278-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1092-133-0x0000000001CB0000-0x0000000001CE7000-memory.dmp

Filesize
220KB

Download
memory/1092-136-0x0000000001CB0000-0x0000000001CE7000-memory.dmp

Filesize
220KB

Download
memory/1092-135-0x0000000001CB0000-0x0000000001CE7000-memory.dmp

Filesize
220KB

Download
memory/1116-166-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1116-170-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1180-141-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/1180-142-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/1180-139-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/1208-147-0x0000000002940000-0x0000000002977000-memory.dmp

Filesize
220KB

Download
memory/1208-145-0x0000000002940000-0x0000000002977000-memory.dmp

Filesize
220KB

Download
memory/1208-148-0x0000000002940000-0x0000000002977000-memory.dmp

Filesize
220KB

Download
memory/1252-266-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1296-263-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1296-287-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1296-285-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1336-203-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/1336-205-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1352-251-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1448-224-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1448-218-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1448-219-0x000007FEEE700000-0x000007FEEF123000-memory.dmp

Filesize
10.1MB

Download
memory/1540-270-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1540-273-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1552-191-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1552-193-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1552-119-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1576-289-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1576-230-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1584-233-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1584-236-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1648-61-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/1648-59-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/1672-168-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1672-106-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1688-103-0x0000000140000000-0x0000000140401000-memory.dmp

Filesize
4.0MB

Download
memory/1688-241-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1688-196-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1688-199-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1712-68-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/1784-130-0x0000000100000000-0x0000000100288000-memory.dmp

Filesize
2.5MB

Download
memory/1784-78-0x0000000100000000-0x0000000100288000-memory.dmp

Filesize
2.5MB

Download
memory/1920-284-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2020-276-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2024-254-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2024-258-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2032-211-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2032-212-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/2032-216-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2036-69-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/2036-66-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download