expiro | fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
Size

555KB
MD5

0cc3d8cf8bdd19f9c4e2ff65f825f321
SHA1

465982caffd39ce142eb30cf0ac0957996853ead
SHA256

fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260
SHA512

2af08782fc289ab6a8009f609f8330b64f51e5f288ac096a8a6ea6b9b5e9c9be492046374f54918267503716cf048f0e2ff40a25a1ff1895941057f756d93349
SSDEEP

12288:T7RRaMMMMM2MMMMM/H0jZrctbNgED36KATHFNpsOFgaPJn29BPP0Ih/2YDiG:T7RRaMMMMM2MMMMM/HK5sbNgED36KAr+

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2660-2-0x0000000001000000-0x00000000011B0000-memory.dmp	family_expiro1
behavioral1/memory/2828-62-0x0000000010000000-0x00000000101AF000-memory.dmp	family_expiro1
behavioral1/memory/2348-82-0x0000000140000000-0x0000000140377000-memory.dmp	family_expiro1

Executes dropped EXE 43 IoCs

pid	Process
2828	mscorsvw.exe
476	Process not Found
2724	mscorsvw.exe
2524	mscorsvw.exe
1192	mscorsvw.exe
2348	elevation_service.exe
2036	IEEtwCollector.exe
2092	mscorsvw.exe
2980	mscorsvw.exe
2860	mscorsvw.exe
1372	mscorsvw.exe
2536	mscorsvw.exe
272	mscorsvw.exe
2508	mscorsvw.exe
2412	mscorsvw.exe
2448	mscorsvw.exe
1940	mscorsvw.exe
2636	mscorsvw.exe
3056	mscorsvw.exe
2932	mscorsvw.exe
2716	mscorsvw.exe
2128	mscorsvw.exe
2240	mscorsvw.exe
1616	mscorsvw.exe
2732	mscorsvw.exe
2880	mscorsvw.exe
888	mscorsvw.exe
1100	mscorsvw.exe
2416	mscorsvw.exe
1544	mscorsvw.exe
1476	mscorsvw.exe
2520	mscorsvw.exe
2100	mscorsvw.exe
2336	mscorsvw.exe
2920	mscorsvw.exe
940	mscorsvw.exe
1232	mscorsvw.exe
2576	mscorsvw.exe
2608	mscorsvw.exe
2236	mscorsvw.exe
2176	mscorsvw.exe
2784	mscorsvw.exe
2256	mscorsvw.exe

Loads dropped DLL 34 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2508	mscorsvw.exe
2508	mscorsvw.exe
2448	mscorsvw.exe
2448	mscorsvw.exe
2636	mscorsvw.exe
2636	mscorsvw.exe
2932	mscorsvw.exe
2932	mscorsvw.exe
2128	mscorsvw.exe
2128	mscorsvw.exe
1616	mscorsvw.exe
1616	mscorsvw.exe
2880	mscorsvw.exe
2880	mscorsvw.exe
1100	mscorsvw.exe
1100	mscorsvw.exe
1544	mscorsvw.exe
1544	mscorsvw.exe
2520	mscorsvw.exe
2520	mscorsvw.exe
2336	mscorsvw.exe
2336	mscorsvw.exe
940	mscorsvw.exe
940	mscorsvw.exe
2576	mscorsvw.exe
2576	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
2784	mscorsvw.exe
2784	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\K:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\N:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\O:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\X:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\G:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\J:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\M:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\P:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\T:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\H:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\S:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\Y:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\E:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\L:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\Q:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\V:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\W:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\U:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\Z:	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\alg.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\ui0detect.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\vssvc.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\wbengine.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\msiexec.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\snmptrap.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\msdtc.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\vds.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\vds.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\locator.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\system32\fxssvc.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\DVD Maker\DVDMaker.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\7-Zip\7zFM.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA5F0.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP95E9.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9FF7.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA322.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBB53.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP99CF.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2660	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2660	fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe
Token: SeShutdownPrivilege	1192	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2092	1192	mscorsvw.exe	38
PID 1192 wrote to memory of 2092	1192	mscorsvw.exe	38
PID 1192 wrote to memory of 2092	1192	mscorsvw.exe	38
PID 1192 wrote to memory of 2980	1192	mscorsvw.exe	39
PID 1192 wrote to memory of 2980	1192	mscorsvw.exe	39
PID 1192 wrote to memory of 2980	1192	mscorsvw.exe	39
PID 1192 wrote to memory of 2860	1192	mscorsvw.exe	41
PID 1192 wrote to memory of 2860	1192	mscorsvw.exe	41
PID 1192 wrote to memory of 2860	1192	mscorsvw.exe	41
PID 1192 wrote to memory of 1372	1192	mscorsvw.exe	42
PID 1192 wrote to memory of 1372	1192	mscorsvw.exe	42
PID 1192 wrote to memory of 1372	1192	mscorsvw.exe	42
PID 1192 wrote to memory of 2536	1192	mscorsvw.exe	43
PID 1192 wrote to memory of 2536	1192	mscorsvw.exe	43
PID 1192 wrote to memory of 2536	1192	mscorsvw.exe	43
PID 1192 wrote to memory of 272	1192	mscorsvw.exe	44
PID 1192 wrote to memory of 272	1192	mscorsvw.exe	44
PID 1192 wrote to memory of 272	1192	mscorsvw.exe	44
PID 1192 wrote to memory of 2508	1192	mscorsvw.exe	45
PID 1192 wrote to memory of 2508	1192	mscorsvw.exe	45
PID 1192 wrote to memory of 2508	1192	mscorsvw.exe	45
PID 1192 wrote to memory of 2412	1192	mscorsvw.exe	46
PID 1192 wrote to memory of 2412	1192	mscorsvw.exe	46
PID 1192 wrote to memory of 2412	1192	mscorsvw.exe	46
PID 1192 wrote to memory of 2448	1192	mscorsvw.exe	47
PID 1192 wrote to memory of 2448	1192	mscorsvw.exe	47
PID 1192 wrote to memory of 2448	1192	mscorsvw.exe	47
PID 1192 wrote to memory of 1940	1192	mscorsvw.exe	48
PID 1192 wrote to memory of 1940	1192	mscorsvw.exe	48
PID 1192 wrote to memory of 1940	1192	mscorsvw.exe	48
PID 1192 wrote to memory of 2636	1192	mscorsvw.exe	49
PID 1192 wrote to memory of 2636	1192	mscorsvw.exe	49
PID 1192 wrote to memory of 2636	1192	mscorsvw.exe	49
PID 1192 wrote to memory of 3056	1192	mscorsvw.exe	50
PID 1192 wrote to memory of 3056	1192	mscorsvw.exe	50
PID 1192 wrote to memory of 3056	1192	mscorsvw.exe	50
PID 1192 wrote to memory of 2932	1192	mscorsvw.exe	51
PID 1192 wrote to memory of 2932	1192	mscorsvw.exe	51
PID 1192 wrote to memory of 2932	1192	mscorsvw.exe	51
PID 1192 wrote to memory of 2716	1192	mscorsvw.exe	52
PID 1192 wrote to memory of 2716	1192	mscorsvw.exe	52
PID 1192 wrote to memory of 2716	1192	mscorsvw.exe	52
PID 1192 wrote to memory of 2128	1192	mscorsvw.exe	53
PID 1192 wrote to memory of 2128	1192	mscorsvw.exe	53
PID 1192 wrote to memory of 2128	1192	mscorsvw.exe	53
PID 1192 wrote to memory of 2240	1192	mscorsvw.exe	54
PID 1192 wrote to memory of 2240	1192	mscorsvw.exe	54
PID 1192 wrote to memory of 2240	1192	mscorsvw.exe	54
PID 1192 wrote to memory of 1616	1192	mscorsvw.exe	55
PID 1192 wrote to memory of 1616	1192	mscorsvw.exe	55
PID 1192 wrote to memory of 1616	1192	mscorsvw.exe	55
PID 1192 wrote to memory of 2732	1192	mscorsvw.exe	56
PID 1192 wrote to memory of 2732	1192	mscorsvw.exe	56
PID 1192 wrote to memory of 2732	1192	mscorsvw.exe	56
PID 1192 wrote to memory of 2880	1192	mscorsvw.exe	57
PID 1192 wrote to memory of 2880	1192	mscorsvw.exe	57
PID 1192 wrote to memory of 2880	1192	mscorsvw.exe	57
PID 1192 wrote to memory of 888	1192	mscorsvw.exe	58
PID 1192 wrote to memory of 888	1192	mscorsvw.exe	58
PID 1192 wrote to memory of 888	1192	mscorsvw.exe	58
PID 1192 wrote to memory of 1100	1192	mscorsvw.exe	59
PID 1192 wrote to memory of 1100	1192	mscorsvw.exe	59
PID 1192 wrote to memory of 1100	1192	mscorsvw.exe	59
PID 1192 wrote to memory of 2416	1192	mscorsvw.exe	60

C:\Users\Admin\AppData\Local\Temp\fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
"C:\Users\Admin\AppData\Local\Temp\fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 160 -NGENProcess 164 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1b4 -NGENProcess 1ec -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 260 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 150 -NGENProcess 230 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 258 -NGENProcess 264 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 270 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 270 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 260 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c8 -NGENProcess 2a8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d0 -NGENProcess 2b0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b0 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d8 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
636KB

MD5
7940dc74ca1f0722f5484f3a534c8a8a

SHA1
3081a257c60518ddc047fa15c5ec5ef970a0b1d8

SHA256
3741b4a6bd0926f3830c2d2de1ce3e8e6409e29dca30b739a3c5304d5d05246f

SHA512
4c70b930979cc72b93dc0fbf8de2442fa2ceb6f58dbe17e81892be8958a915acbfd7e59f1b42d2f51e0664221cf46ddca57f0b5ee59dcbcb615142b5a008f676

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
1e8c97e3083b68169d3a515cff6e5111

SHA1
b1aaf898eeb5af9b297aa108339626fc3000e060

SHA256
d6288c31cd9c4d6e64b0e27d9db0a9d722b1c1ea9ca1025c5ebdd44554a5ed09

SHA512
be86b2760e1d91ad555e79b2e53f4a0a97c6afde0130c1bba736fc4c23b337a85056b0b6a60f29b22cff7479abf390dee283ab1c5174ef58ba5839a8289b864d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
d3450c7c35a2694031802172c6ead437

SHA1
418d216541f01e0955565d09b28d57bb5fa18ec7

SHA256
2d8d50864556197a5dc854cdbce4554f94cd221674261cb29e571a062d40d77a

SHA512
48f3b3b1140ee46f83f0df842cb0eb45f9e06855a66134a08c41e6e12f07e6061edd102a9212d8da416f422e722037d5b356da6f1e64097e1779afe2ba86858d

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
0f4de9eed4ec7738db0e850e6fa3cc3c

SHA1
5792fbc548c1cd1dd45e27dcf92b44c60a466cda

SHA256
7f02293c3d6ae6726e184dcf284cb08ef21c1bf5ef9502ad22c64d579ee14427

SHA512
0a4525cb3130603fe617da1ec80711144cab38a1431510c70c0059d3990235f9d839c46d89baf21f04f952072c600d742b634825e16ff563dc21e242ad619e9a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
578KB

MD5
139602aa087f9d9ec661047147fd75a0

SHA1
2ab1febc1de9d34f408aafb09d3cae7ccabb5ed6

SHA256
3bf88360a81dd4f757de5ca5aaff7405583a8dabb9842ca95377115508019c08

SHA512
c9ba4160d1f47977ea31015e12f451e96f6e2d00885c430c62eb7259334c6b8e2e128e9cd78ba4c4ac4722f23dbdde5d95cf350e6fd7b697e75d5d36bbdbc882

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
39cf383bd95d601b7d1e99e9c0fabec9

SHA1
39b94fba6baa5ee6042a8078c3e6f8c0d73723ec

SHA256
653ba49e7242bd8537bd5c1dcbf0073ebe9b006e436376d82c793bb98cae238e

SHA512
2902bdb0888aacad91e0a24ff52b0fcc69a0dfa093c148eab3c3b926e53fbd91cc03eac9ca72bb68c3da48975e6b0f7a90594a9105f4c454cbbc5f8919a6da26

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
31164d80cad0bd9d922f340b076487da

SHA1
8ec51684b3dffd3d47d6afae4571253f6b289906

SHA256
258a3dd6157ea6175c64af4ca46c67157ac301d10c45601a652a574dccde88e6

SHA512
61ed14334735928b506f50db4916e57fe3bf41e14ac12f34ec5b24c57b54a1281037c165c242b3f8b84e16ca09d5ac3bd8a760bde0c5021ae29ed30e112b0920

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
aa43d0488f7e642552f09a6b29617c92

SHA1
8b8772311404377b84eb8134e3a421be453aabb7

SHA256
55e22210542806425add5d8272df4f000f6077ac0ea03e254f08bd8d83210675

SHA512
986306a2d989802d0ca3c06259294c7b411e0e8376a3f35ff473a55279606e5fb79734ab868644af64386c833f6a78ded507e5b3a2c75c6902bb628618827a27

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e7ef406961ef629b0737e4b12c168e95

SHA1
511fe37bec4f397629b5b6009d72946ec100ce20

SHA256
95b2d67f35e45c97444459a2e0b6899dbf4247d5b2b830fe9fe58a5847a595dd

SHA512
a2626a2976bea93fb3d1630e03761cd4143651066bd0384aa8227070d690e18467030de2bb86071993c258fc83d7a976142e0878b54491a5f90571e8f49b0309

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
c12a99441e52968e8d09d5cd2c9d3ab8

SHA1
154c9bc6266bfb7385bea7c2bba25c82c4e686ba

SHA256
8d5ef7a8a337c4290f5e5a72ba811cbc563110b2d131748c3f43250a907ccf33

SHA512
0e8aed3295dccaf7c5044cba9404ed5facac7d51583b3b1c33976dc9ae9e42c5b848ba9d77ad922c521c57bd30ac630ece262d582f017b027491a981bd60042c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\18b690bc565071bab3067be1056d9e7c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
99e4c4835873ebd6109bc82c216f58ab

SHA1
58b1d47ff102cbb1e127c286d00c23dbb307ccef

SHA256
884aebab760050c881e5996b8b665c27f09fb5a286a0c4ceaa523706c3fd74b8

SHA512
8fc4ce035c9071b476f843ecfbf3eb5f004ac02f635daf25d2970974a713d7d660a3fc83aadb8399eeed74e02e1b56c9c51164f9afb20317a86599071c77f170

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2b8f082e326ce80d7c052f5e0e282320\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
8f1598d7f5f1b9a55c155fc30d49cff7

SHA1
8f5d1701290e9ae026663918902cbbb0a3cf1fe7

SHA256
23333154e9d1486790b9798d7b49015926a0c83d32904d7fe73f8a18577e05dc

SHA512
f9d83e9906fb7a69328d4695aebd33011e6be2b1abe225f50e3889fbe8c1453dac8c5bdf18b7d5912e8e41b04286eab53d7f52c401e84b8305caabd0b140ab0d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f325c9cf1e9e9310fbafc8a8279d91ec\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
e2563001f6cb21029d66baf931987ceb

SHA1
ce50609cf784d15c8de410c1a0482379a7443e3c

SHA256
ddd0708a7428ee9f0f94122b912a5be8b51c5061bcf3c6d57fdb95e3fc4cac61

SHA512
cfaf869187bf2f75a7d8e2b9251b60c79ea245215277672c4c40f402528217951fa3bde58fb415b7328f377fbeef77dc5de1cca795593cedd23c72b6ec8057f8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
636KB

MD5
6fa3aeea907baa8554343d54aa1dd392

SHA1
93a451a0d239675aeb58a7520ceacfd4936c76b0

SHA256
916b3b5ce1a398579273b65bc0d661ba610a748b0961179d88af501ea7966673

SHA512
5c5fcb8d7b21f63a72758f000f26f4227211aa3b827af4cc72c9e1f11baaef80c8c13c5c8b2ff194c0b3a1b942c980591df63e1cb091cc92c54083b20ca5b7bf

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
11c7d12dea4c3b8452c1e7e182e781e5

SHA1
caa4ee9b659f770490b493706b23742a3b5357ce

SHA256
18504bfcacc37c8d66726e43668398534a65588599c902bbc76a8c0358a39c4e

SHA512
5911abb427db0fca053130b72476e14ad93f741d526f11c1666c4494e5ec995a01466e435a3f463fa7a4a49682306709d08c17cd10b9296d1d5d04844931959c

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
711KB

MD5
4056bb549692146374baf22de65ac9a9

SHA1
2c2f87854f224e8e83692e84a3e54ee56f34758a

SHA256
bb596245b90c135f925e158c5724ff933d38574869d15010023723bde43821b0

SHA512
ab3b078cf9d08081feb973da735749d609f0ae054b153b3e0aadb019c5d2a2f77bd6d50dd4dbc5dd8166a2ab105f83b8e7ca7dc17622048e3222d73bc84e27d1

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
620KB

MD5
5876cab74c4bf085e5763f96fb4f610c

SHA1
e41e4ebfed37221bb57522ac045d961778acbff5

SHA256
9689f61f00739cad1ea463885b78117fe32a14a29f206657b3573b0a1bbc5c3b

SHA512
c9f78acc72f2ff5eb80b573e36f8e9bc119646efff781b5fc6a2fe550e69e82f4722930b615236d9c15d7ffa52204fa27737492b5a92c5b1570e027a55e34f91

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
532KB

MD5
70429c1893dc04b0ce44ab6f40e5cd19

SHA1
1e9e54711e946e939a23dd9056c3666431da8f31

SHA256
71d552b11c25cfceb8bd140da3c00e4a6533cc21dfdbd7b17550f1bc41f88015

SHA512
e5016bad77673a30ee4eab774265aff941d9ad1f7194d38c966968575ecb9e614cf8624baffb811b23a42e6d4c5e739e594c72cf731c19a6d08454a05f35855e

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
573KB

MD5
079669ee93592eb521704bae4381869d

SHA1
6b8556f47e8c7de82ae23c133355c7f27d78c776

SHA256
8be7b55001abd30214a71886af5ba99258b47f98754a43e1c2d8578ec121ed62

SHA512
5bcc3d7442e3d2250aec12d220f26badcaabea19f995a224e280e02dcf832b3fadef1631242c282f4ecb94bdbfb3e0c21d984946311adb38d1b6bc5b050058bb

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
e6bd91c040bb6048492419a007a3d1ad

SHA1
69b4b24da2dd20f096f04a0061456cede9fa28a2

SHA256
da402f6665b88f2f9b094c59f3389dbd1315e4803c6465bb656f9c36dbb489ec

SHA512
d4826a819023a025458372abaca6a1d049be6048fb75cc80411f3e2f974dc6c2a77d6be67ee242a5e1e6fe9fbbe9a83a14a1dd7d52090dc683be86006c0e6462

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
634KB

MD5
c451cc0bb6c093282c71c66a416fb4ad

SHA1
6ee697cdc48a3a2a2f7beee1b4f513a28583f7b3

SHA256
eb2f9f9407e798d5b67c116a4b00cf2248267afa0cfb93893801e80dd7bb59a9

SHA512
39659a286d8d9505ef919c7c61fc79e0d367073f9e2570e5200a87f39b8c9b641423786e25bdae31dbc450cc2ed44f0ccccde26346fab54f03c8a3a7acb5a0f5

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
621KB

MD5
0dfe9ec4f8bfd7ea7c1cd1db78cf064c

SHA1
2f1cb70bf3857a031e1e6c9bc136e451a337ddd3

SHA256
e7c2ae5c2ccc319cdede991ff7fc1abe178abaea2191707fbf525b7914e2cde2

SHA512
160a31a88ac25ce3ac24a38ab230c9ed16458f19254417fe981030c7dc2cc5ac6c01d5c04197078896d825874a153e9892921e9acf868ce3679a36d5c7665856

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
510KB

MD5
434e3ccb338f385e085838dc95f696ff

SHA1
ba59e55470171e9426f532befd5fd65440e4de5f

SHA256
fb689981adf4089f2352afa15c835f52d9b8981b9186f3464e091b6a61595f9e

SHA512
79fc100aea32d05fea82f7e050bdb707d1e1fcdc2a52fd238b9b09f5125606a4a01e6fa174e9d109909b74d65f84ec3d9c49cb797cab8f4857104d4d7772b9f6

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
536KB

MD5
c3d0210d954460cbe35579d326445689

SHA1
58bc04b9a503f6aa98cee50a985aad8271734deb

SHA256
31bef2ff6cb7412ee62243219d118c41adab65c6daa0e6b4e9273118603d9423

SHA512
34ebf5b5d11a36c25d22db973f231344a6bec9798cdd253dba8a529471397b312afd255d829049f6e04ad6d1cd48f387226e994f26a2e541e10788973faf5f21

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1017KB

MD5
9c3d63f0033524aed57a67042678a97b

SHA1
11113dac872d2c665b925b5653c1df89cb899442

SHA256
52a762da59043f2ec9a7eaf305bf4054e6e7dcfdc12c00246becbac5e07369e0

SHA512
8e89b449b830e0611ff63dd4adb90fb0a0abb170fa739041fad70332c756bddbde4a2f2752b64afb327b397fde6e384d61d47c4fd921be60164d611d26f07bed

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
fbf9da0ac1f25286e76c569f235832bd

SHA1
12dbbbf0152cd425f3d2fd18aa398ebaf96e774e

SHA256
ecbbd70b15750e12db1eb48498dd2a98eb5d4197bf3925a7e0aec2b24c203469

SHA512
259b96e88441f30434ef3f8690a74ff0b7c6c3f298ab08aabcd4c595879ce7636070d256d75477d1cb2f3965e1f09c7fa7b174856f782651b773d445f6134e1d

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
694KB

MD5
854c787cbd89f55ac2d80fc1c72ddc7f

SHA1
8a9445a86ebd67c96dbc298b0ad28ee2ebedc34a

SHA256
25622f8ba97c183f31d592b49181446646dcdd65c2e53c931ac38ccf72a4baa7

SHA512
8ea132ecbf57ded39cbf49da4df2e0120a6a73d62f3647923d3c51feb4f9f6d0fc70e697250dbcda656585a06f0202432a794c4ee2d022c74b48e573f7e43f23

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
70494d42de9774d70804de164b38bf5e

SHA1
b881b825d38907207e22aea3561ff67c0158b7c3

SHA256
5f81688ab745475e9b46c619f70e17336d7b07e0affabed5cbb0650cc4b5adda

SHA512
e44279dd208bdc9c25014fe4740a101ea84aab885e926515d2ed2a5dd58268fbedc01d998a9087348b5972fc8cccb5023be8ec871f333ebf12f4d17cc6cc531d

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
08585b66bb6f624ae1a8f4fc92af114b

SHA1
b9df617e094bfb8956f9e8a62048d4ac634a7449

SHA256
34e7e19e8fc7de4d051568fc026dc503ed9a193c478a5fc8f452067c3653b558

SHA512
096a54b9d50c0c02c31655b353c5380f96263d22723dbd537ee1a1b163dc05d1036813827b2fae1f2a1b1b01271ea334d74a9c66ec0f2ec8ba9ca9b68d9782f5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
6f7a0829db6dab05978a51d020c1fa5c

SHA1
f9f0e17cd726235f05f4bd75806d719324985550

SHA256
1888e0f47d2f8969c3c8f21977a2732d0f8a268fc6f8693da2eb376b75b8a386

SHA512
89be061d47c7cd502a8ff5522ceac242fa1394fbb911099f1df6a307a36cfea774b8a55b391006bededa2d66f8e2e9733ffac69335c9b8f3134a6c685a551f5c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
605KB

MD5
6459ec65e9c06f85a5090d88a9aae1c3

SHA1
385dc5100dc90a131d37f426b035cbcbd4013e8d

SHA256
1dff9d1f9b33d691204c7f0e8eab45dc3c80bcf14aefcc911171139c7b64381c

SHA512
1742e3a7b07b089292f72ccf1289bf41678ef2dcecfc420674bf2ab0ee1920f5007000fa5c6fab78cd9662472174fabb3b5443e11457fa90e97007f82ec9888f

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP92BE.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP95E9.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP99CF.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9CDB.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9FF7.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA322.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/272-310-0x0000000003110000-0x0000000003126000-memory.dmp

Filesize
88KB

Download
memory/272-307-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/272-313-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/272-309-0x000000001C490000-0x000000001C4D8000-memory.dmp

Filesize
288KB

Download
memory/272-308-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/272-305-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1192-56-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1192-147-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1192-57-0x0000000140001000-0x0000000140003000-memory.dmp

Filesize
8KB

Download
memory/1372-296-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1372-303-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1616-458-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1616-478-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1616-469-0x0000000003220000-0x000000000322E000-memory.dmp

Filesize
56KB

Download
memory/1616-465-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/1940-365-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1940-366-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/1940-368-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/1940-370-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2036-89-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2036-177-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2036-224-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2092-180-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2092-152-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2128-441-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2128-435-0x0000000002F40000-0x0000000002F5A000-memory.dmp

Filesize
104KB

Download
memory/2128-436-0x0000000002F60000-0x0000000002F76000-memory.dmp

Filesize
88KB

Download
memory/2128-428-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2128-440-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2128-451-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2240-450-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2240-456-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/2240-459-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2348-82-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/2348-151-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/2412-334-0x0000000000960000-0x0000000000978000-memory.dmp

Filesize
96KB

Download
memory/2412-340-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2412-337-0x000000001C520000-0x000000001C53A000-memory.dmp

Filesize
104KB

Download
memory/2412-338-0x000000001C540000-0x000000001C55E000-memory.dmp

Filesize
120KB

Download
memory/2412-332-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2412-336-0x0000000002FA0000-0x0000000002FAE000-memory.dmp

Filesize
56KB

Download
memory/2448-355-0x000000001D160000-0x000000001D178000-memory.dmp

Filesize
96KB

Download
memory/2448-344-0x000000001C490000-0x000000001C49E000-memory.dmp

Filesize
56KB

Download
memory/2448-345-0x000000001C4C0000-0x000000001C508000-memory.dmp

Filesize
288KB

Download
memory/2448-346-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/2448-364-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2448-343-0x000000001C480000-0x000000001C48C000-memory.dmp

Filesize
48KB

Download
memory/2448-347-0x000000001CA00000-0x000000001CA1E000-memory.dmp

Filesize
120KB

Download
memory/2448-354-0x000000001D160000-0x000000001D178000-memory.dmp

Filesize
96KB

Download
memory/2448-342-0x000000001C110000-0x000000001C128000-memory.dmp

Filesize
96KB

Download
memory/2508-312-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2508-316-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2508-318-0x000000001C4C0000-0x000000001C4D6000-memory.dmp

Filesize
88KB

Download
memory/2508-315-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/2508-317-0x00000000008B0000-0x00000000008F8000-memory.dmp

Filesize
288KB

Download
memory/2508-322-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/2508-323-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/2508-333-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2524-46-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2536-306-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2636-373-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/2636-378-0x00000000008A0000-0x00000000008B0000-memory.dmp

Filesize
64KB

Download
memory/2636-377-0x0000000000880000-0x000000000089A000-memory.dmp

Filesize
104KB

Download
memory/2636-376-0x00000000008C0000-0x0000000000908000-memory.dmp

Filesize
288KB

Download
memory/2636-375-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/2636-374-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/2636-372-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2636-383-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2636-382-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2636-393-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2660-0-0x0000000001000000-0x00000000011B0000-memory.dmp

Filesize
1.7MB

Download
memory/2660-1-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/2660-2-0x0000000001000000-0x00000000011B0000-memory.dmp

Filesize
1.7MB

Download
memory/2716-421-0x00000000006A0000-0x00000000006BA000-memory.dmp

Filesize
104KB

Download
memory/2716-429-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2716-422-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/2716-420-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2724-35-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2724-37-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2724-67-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2828-21-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/2828-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2828-62-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/2860-301-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2932-405-0x0000000000900000-0x0000000000914000-memory.dmp

Filesize
80KB

Download
memory/2932-410-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2932-409-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2932-419-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2932-403-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2932-404-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/2980-181-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2980-179-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3056-397-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3056-394-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/3056-395-0x00000000031D0000-0x00000000031E4000-memory.dmp

Filesize
80KB

Download
memory/3056-392-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download