expiro | e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
Size

770KB
MD5

5a271a2b06d5ffd0f67b5895f3a01897
SHA1

a7a9fd3660f0c5c87d201b5a06c9ac7ec18a0951
SHA256

e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73
SHA512

c7781c0780d6b929c101dd5c295426bd9a3e3689ccd53b8b9a5ad64341738757c3f471121b788b10629fb9c6be8dd948f181c8972b795a8138ba47e20d2e81ea
SSDEEP

24576:FsqSroAupL8uSrOoMxossbnJivQjZFnyHYPd:FGD+LzG7hsEnJGQ1py4Pd

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2172-2-0x0000000001000000-0x00000000011E4000-memory.dmp	family_expiro1
behavioral1/memory/2920-55-0x0000000010000000-0x00000000101BF000-memory.dmp	family_expiro1
behavioral1/memory/2820-95-0x0000000000400000-0x00000000005C8000-memory.dmp	family_expiro1

Executes dropped EXE 40 IoCs

pid	Process
2920	mscorsvw.exe
476	Process not Found
2856	mscorsvw.exe
2820	mscorsvw.exe
1984	mscorsvw.exe
1868	elevation_service.exe
2032	IEEtwCollector.exe
2840	mscorsvw.exe
856	mscorsvw.exe
1912	mscorsvw.exe
2824	mscorsvw.exe
2236	mscorsvw.exe
2944	mscorsvw.exe
2596	mscorsvw.exe
2212	mscorsvw.exe
588	mscorsvw.exe
904	mscorsvw.exe
592	mscorsvw.exe
2060	mscorsvw.exe
1076	mscorsvw.exe
2192	mscorsvw.exe
2920	mscorsvw.exe
2984	mscorsvw.exe
2636	mscorsvw.exe
1056	mscorsvw.exe
1484	mscorsvw.exe
2716	mscorsvw.exe
2116	mscorsvw.exe
844	mscorsvw.exe
2816	mscorsvw.exe
1544	mscorsvw.exe
2384	mscorsvw.exe
2396	mscorsvw.exe
2036	mscorsvw.exe
2556	mscorsvw.exe
2652	mscorsvw.exe
1128	mscorsvw.exe
2972	mscorsvw.exe
1052	mscorsvw.exe
2688	mscorsvw.exe

Loads dropped DLL 30 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2596	mscorsvw.exe
2596	mscorsvw.exe
588	mscorsvw.exe
588	mscorsvw.exe
592	mscorsvw.exe
592	mscorsvw.exe
1076	mscorsvw.exe
1076	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
2636	mscorsvw.exe
2636	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
2116	mscorsvw.exe
2116	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2384	mscorsvw.exe
2384	mscorsvw.exe
2036	mscorsvw.exe
2036	mscorsvw.exe
2652	mscorsvw.exe
2652	mscorsvw.exe
2972	mscorsvw.exe
2972	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3290804112-2823094203-3137964600-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3290804112-2823094203-3137964600-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\G:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\H:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\T:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\M:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\O:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\W:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\Y:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\U:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\X:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\I:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\Q:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\R:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\V:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\P:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\S:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\E:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\L:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\N:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\J:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened (read-only)	\??\K:	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\vds.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\fxssvc.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\vssvc.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\wbengine.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\alg.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File created	\??\c:\windows\system32\msdtc.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\msiexec.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\locator.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\ui0detect.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\vds.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\windows\system32\snmptrap.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\DVD Maker\DVDMaker.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\7-Zip\7zFM.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\Internet Explorer\ieinstal.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\7-Zip\7zG.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5763.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP695D.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP739A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5ED3.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6BAE.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\ehsched.vir	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4F97.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2172	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe
Token: SeShutdownPrivilege	1984	mscorsvw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2172	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
2172	e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2840	1984	mscorsvw.exe	37
PID 1984 wrote to memory of 2840	1984	mscorsvw.exe	37
PID 1984 wrote to memory of 2840	1984	mscorsvw.exe	37
PID 1984 wrote to memory of 856	1984	mscorsvw.exe	39
PID 1984 wrote to memory of 856	1984	mscorsvw.exe	39
PID 1984 wrote to memory of 856	1984	mscorsvw.exe	39
PID 1984 wrote to memory of 1912	1984	mscorsvw.exe	40
PID 1984 wrote to memory of 1912	1984	mscorsvw.exe	40
PID 1984 wrote to memory of 1912	1984	mscorsvw.exe	40
PID 1984 wrote to memory of 2824	1984	mscorsvw.exe	41
PID 1984 wrote to memory of 2824	1984	mscorsvw.exe	41
PID 1984 wrote to memory of 2824	1984	mscorsvw.exe	41
PID 1984 wrote to memory of 2236	1984	mscorsvw.exe	42
PID 1984 wrote to memory of 2236	1984	mscorsvw.exe	42
PID 1984 wrote to memory of 2236	1984	mscorsvw.exe	42
PID 1984 wrote to memory of 2944	1984	mscorsvw.exe	43
PID 1984 wrote to memory of 2944	1984	mscorsvw.exe	43
PID 1984 wrote to memory of 2944	1984	mscorsvw.exe	43
PID 1984 wrote to memory of 2596	1984	mscorsvw.exe	44
PID 1984 wrote to memory of 2596	1984	mscorsvw.exe	44
PID 1984 wrote to memory of 2596	1984	mscorsvw.exe	44
PID 1984 wrote to memory of 2212	1984	mscorsvw.exe	45
PID 1984 wrote to memory of 2212	1984	mscorsvw.exe	45
PID 1984 wrote to memory of 2212	1984	mscorsvw.exe	45
PID 1984 wrote to memory of 588	1984	mscorsvw.exe	46
PID 1984 wrote to memory of 588	1984	mscorsvw.exe	46
PID 1984 wrote to memory of 588	1984	mscorsvw.exe	46
PID 1984 wrote to memory of 904	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 904	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 904	1984	mscorsvw.exe	47
PID 1984 wrote to memory of 592	1984	mscorsvw.exe	48
PID 1984 wrote to memory of 592	1984	mscorsvw.exe	48
PID 1984 wrote to memory of 592	1984	mscorsvw.exe	48
PID 1984 wrote to memory of 2060	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2060	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 2060	1984	mscorsvw.exe	49
PID 1984 wrote to memory of 1076	1984	mscorsvw.exe	50
PID 1984 wrote to memory of 1076	1984	mscorsvw.exe	50
PID 1984 wrote to memory of 1076	1984	mscorsvw.exe	50
PID 1984 wrote to memory of 2192	1984	mscorsvw.exe	51
PID 1984 wrote to memory of 2192	1984	mscorsvw.exe	51
PID 1984 wrote to memory of 2192	1984	mscorsvw.exe	51
PID 1984 wrote to memory of 2920	1984	mscorsvw.exe	52
PID 1984 wrote to memory of 2920	1984	mscorsvw.exe	52
PID 1984 wrote to memory of 2920	1984	mscorsvw.exe	52
PID 1984 wrote to memory of 2984	1984	mscorsvw.exe	53
PID 1984 wrote to memory of 2984	1984	mscorsvw.exe	53
PID 1984 wrote to memory of 2984	1984	mscorsvw.exe	53
PID 1984 wrote to memory of 2636	1984	mscorsvw.exe	54
PID 1984 wrote to memory of 2636	1984	mscorsvw.exe	54
PID 1984 wrote to memory of 2636	1984	mscorsvw.exe	54
PID 1984 wrote to memory of 1056	1984	mscorsvw.exe	55
PID 1984 wrote to memory of 1056	1984	mscorsvw.exe	55
PID 1984 wrote to memory of 1056	1984	mscorsvw.exe	55
PID 1984 wrote to memory of 1484	1984	mscorsvw.exe	56
PID 1984 wrote to memory of 1484	1984	mscorsvw.exe	56
PID 1984 wrote to memory of 1484	1984	mscorsvw.exe	56
PID 1984 wrote to memory of 2716	1984	mscorsvw.exe	57
PID 1984 wrote to memory of 2716	1984	mscorsvw.exe	57
PID 1984 wrote to memory of 2716	1984	mscorsvw.exe	57
PID 1984 wrote to memory of 2116	1984	mscorsvw.exe	58
PID 1984 wrote to memory of 2116	1984	mscorsvw.exe	58
PID 1984 wrote to memory of 2116	1984	mscorsvw.exe	58
PID 1984 wrote to memory of 844	1984	mscorsvw.exe	59

C:\Users\Admin\AppData\Local\Temp\e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe
"C:\Users\Admin\AppData\Local\Temp\e4bc1355260aeed8b45a3f61e1c7def8fab46a65e9162b990b512401f243be73.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2920

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 194 -NGENProcess 190 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 194 -NGENProcess 190 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e4 -NGENProcess 158 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 258 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 23c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 1e4 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 1e4 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 1e4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1e4 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 158 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 158 -InterruptEvent 284 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 158 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 158 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 158 -InterruptEvent 290 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 25c -NGENProcess 284 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 284 -Pipe 158 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 284 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 2b0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 28c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 28c -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2c8 -NGENProcess 298 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 298 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
700KB

MD5
096842dab577c717a48fcbb493606fb0

SHA1
76b07764b579d8f8b734846cd58d738d720c5ad8

SHA256
f3456891c97b9f057ae38fb635eac658479691b50c509d016a766178663f8ad3

SHA512
84ae1a1d19682624f47ee68ae70f0df4db0caff2fc6d23647278fd2b77d097a2ec7cfd811a0cc4a65aadc00a59d992a86e2b31770eff147cce8383027ed209d8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
81fac41e5bdb1e5f68c29e546f660ada

SHA1
58a2c64b7fe9b45e4f5a776704c9bec4cbbd67fa

SHA256
f39c02ae1497e65a7956589588adafd274765750eb80782ab0ce7d880863c598

SHA512
2b56b0f0b027034a6503b5c13bc525a01319080ab49f55e4846ef07ca96b150b9c90fca50640c72b95937a6f4b62d758381af1d78b010a703f508400dd86c9ea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
3c77b49324ccc845f799e9e73e4191b4

SHA1
552d8b079fb807931495652a7de82a801d67ddb1

SHA256
549bf24bf8bf92a2a40c1fe9fa9714dff3c3195971f4c23c05e1575c92ac8250

SHA512
8adbed76c6697a53d7c49c638ff45c3daf97015aa233ee6cb3c3db218943ca6f265b81157d7a2f31e87935004d18ec8203ea295096704a2c285a3f7a2dc42c88

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
4964b10c11140738605b0e87993984c1

SHA1
c65e0e80cffe2b484b3ccc9a901b92d0ed741bc8

SHA256
2b8e0dbf35bf0e314c98ff44cdf6c37bb0e62765d84d4a6f22f20d1edb5a22e3

SHA512
42093e7f44e505ce501e2cdcf73fdda2ddcd6f1020a596c43327d05bdaa223ba4f153efeec63c1c2ecc805f7e9cedd1db898019cbee3b24542e437d9383ae8e0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
da6ed0dc75fc012f095c70a5c9cc727f

SHA1
871e42d878419227658dc33835c6237fa0aa2687

SHA256
671af2203c68f54dd58eaf80e7f2ff6c28c66373c849a38a56e5f9e487061b49

SHA512
f9523839ee043c7615bcb8c04ea996924fe3440f54a8143fed85188f0aed49922b1ad187e03f54e4348a59929882def2df5ebb5f3586df34551dbb7b92790670

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
9c17755be09ba17fc3389d5810653470

SHA1
db2b638a98342d844a3a26ab42663e6dcf06a564

SHA256
b0cb96ad7d3cdee2a5abd76f3f261f30e1ca06fdcd243317b549355355849cc6

SHA512
c9d012ac204ca4d766c58d141cdde946466f249ac2b0cb857d6010b6fbf32366f29ce9222e98267f71241eec8ee6204a6b144f04c055d63ed0c4436e72466a1d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
619KB

MD5
49d8c449c91af97653ebeb2b6c1b6119

SHA1
7a1cca66c1f8e2d4e5d8874b7e1c24ed76c2c88a

SHA256
8745115ab27e05f64db11bbc20158d8b41741e7b637ae9206d05939c8ff8d4be

SHA512
21c516b4eaf347bb4417efe616594e9215380b3f1ff195af940e3e5d3a23d00658a6ed07217b42a0bfdaa0177c1069a20eb32511b6f1b2c6b2c5a6b9bf31c412

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
12a2609aceb135e49f6190fb51fc1ddc

SHA1
00a17bc9c838002113f253f7b5bfce9f8a785279

SHA256
6334636a8db81fed6fefb6505071d9c76e1e3e863d9814fc14bd8822a13fcc25

SHA512
922e7c78f83aefe968b64ef2a56daf1260643ed2be120eff9d9f21d6fefa2669e9e52279703770b8f3eb32b04d1df397543a317c8b7d259600a2b0e1ca512b88

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
650KB

MD5
6de29c30d6a313586189e937a85c384b

SHA1
1ed8e8bc820a2b2d09944202b8858f7e74e7f306

SHA256
f0347bf50450cf733aa021aa072837301f180d8771891465e2ae795100ffc629

SHA512
a9307a432ac4f186ac061a1ba7792e69d9801a34bcf6cf675cec09d523385f172471dc1d2485ba4975af875c1b7465df963a70ca46a43b233b1b727529af290d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0b78a9548d35b35aa287f1bc21c06464\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
ffc7fe175885abcfd325f391df4bb95e

SHA1
5ced5b0efff0106ef1bb4893ae9f7e28ca76b4d2

SHA256
f3139edfd9f2900c993eab569e31f3e148f98d058806d3544fa6e9f525ae7f73

SHA512
5eabc4e0a255fd379a036abcdf3fde98c915b39c1b331ccd729e9a197fe331432f1a250c28349516c01754ed1240f7e51784f677cf7bfa436a4e402ff69d8bce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
700KB

MD5
af287a1a3832f6e80a7d8cc261a02f19

SHA1
b5f03b3a37ff0483450145ebedf4e660b5de51ff

SHA256
9cf760c012573a24fac68c5a30d7e6b7c2884564e8f44bc125574963e0f732b0

SHA512
74f7dc0131334624e73f686c03a6c7a050e92a2c0d75cecd84c374186c57efb0f95612a0cce0b7b9d051b8d5a890467cdb8ee506aefdb1d260cca61eebe41f52

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
41430b3db94df250d46caeb22676eef5

SHA1
db220fd67ca376e00d4c90b91a80ba2180d36fe7

SHA256
0da496b8d250dc1bfdee8d7a6589b858408d02080c10cee09403c05298540b7b

SHA512
db88ed63f87ddfbd6c0244e34460f1d330c4ef4eaabf12e4688d3283e61b9b02b83eb2ad075b4b5aa5f7ae967952c5796bea49f715903129bceedf75344500bb

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
775KB

MD5
b58e397943ccb1371b70b8f4a9924bdc

SHA1
d11ccc990ed6a99f481e8e0c9105f9345ae7f01e

SHA256
d0f2c226b00ae63145c660bcbb079f18a9ee826180a21a3ea27d70e34c3ceda8

SHA512
29c4a62efa14080ef8f37d6376d836cbb66dabb003da19d2c4a8235e91ea8fc3a16f959beb3768f55bea765e529dd663b335810455e17a7577ec3afb6570fda6

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
684KB

MD5
b80705303e6ee571f748b59e88b0458a

SHA1
5326ee2c2947057940d841aa2757283cf7551b02

SHA256
91de2572811956cdf4e97f05e0361311b137e177fb67a753885bd95c5cdb238f

SHA512
f956b38c43782473e69fcbcb5084ddb82031c22af5db66be48eaa9ac81371bd3f9414dccfa9add302c6c64ebee05f400fb9afb5394dbf411c49aa80d94f87718

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
596KB

MD5
7b08ed4bbc10dff94025adc94a32da56

SHA1
352c70d8b8f78d55b73c9931668cf65e9fb724ff

SHA256
2550b1912e674b57524ee42d6ebc380d1f1ed61c7d14791a928c04f2e48d237d

SHA512
d7ecaeee1c517e112b3ba86069adc9cf956fcf14cf29b20d0331734a30c8b6723eb47db522a3cdbdcb5df43b05f11eaa9db8aaa721b2dbca327d4f608178b561

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
637KB

MD5
095a1272494461cc4bdb267b39b75b22

SHA1
5d72119dc9e6844e8a0608be8b887b284ea0521a

SHA256
c0e6eda567066948930e24856c3b5e3039eef0dec29448fc7994465d3d3a360c

SHA512
3c9751fdc51cb22d268c92cb8680485b1835315b7227073ea2b4cc3b831ef46497f79ff513b58875519992b978bdea9742bdfe5944aea070b84b8bc1d1076669

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
b291fc0752946671bf7d0d1a405a9000

SHA1
b8be0e9cf443ea133518ce5ea5d093f12bf04a65

SHA256
936770c4bfc4260054a7dbdafc75f38e2053c759ac63758c2a36fb31a7334c4e

SHA512
4f4270c72363686078e6cf9957207a6b843a7d15c1901ef741e7b53e6333039404b1a5adbd947b7e596a491eb066f44452b8294615b2b41a813a8c61763b5d1f

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
698KB

MD5
41055b8458e9ba65f1e8fe1fde64f67e

SHA1
06dbcd1b66333a482ada730cf45da7cdbe873b94

SHA256
b9b7f255562b745bb4c7da25635d3b87aef85a9d0093eeb3dfdf62ee94607e1f

SHA512
251fb97eb8ba833609bf190b4699dda3dbd0bf9fdd11f5b8397189469b8c28544dd6c3531f35e5426eafd8d1833ff4856f217a4859a646a485f30f02cde2f32b

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
685KB

MD5
ae708a034f0f488013ce48a22d3219ca

SHA1
4231986f77db0e502fc8787bb08ce40146f90fde

SHA256
d93726bc84763536e431859e96a6eafdb3ab5abaf5464cccff715a5e7b6cee06

SHA512
c39e82a15eca3f6fd7bb07019b689aed4b97012087b508dfe6d69eac7f7f6783a75f624334c71076768ead7c7357c30f3a2fea702891bb00fd55e67289747f4c

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
574KB

MD5
0d6f3a827b55cffef3b43574c4b17ca9

SHA1
77625ebdb814904ea32f5b95fc2ed135687931c7

SHA256
af8381f84222d20bb56d914392285ae7d9c137718444cebb30707374831750bb

SHA512
d6542c5915ab064d47a21cff76f153082c45f6931485955cabe678e3f548b8a8397168fb291f5c1568855857d6e78bf39c8326902e1b2ca68af8b8606bca286e

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
600KB

MD5
353802f51ad33b68ba0ae6e74c69fd6b

SHA1
ad7e926a6e1dcfac0ac1521b29c0d271853720e4

SHA256
0c7b9b0191dfc3d3b14d2fd05c769ed6172e234203c6543a074dbf11a720ce5d

SHA512
3f691fabec328db9bb7ece0d6c6a147035509d3e5aa7a512dbfa3f0166e8faff84082e6a1576269598ae048a1d091e3b7057e047d5d5b790701979781ce1136d

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
30eaa182f4d563e8b62a8f6cd68fe510

SHA1
2d7988d728d9b26fc57140198e6bad152cf28138

SHA256
d02cadf95b578c226f72da1168105c37e55c1199960212191386975044e0ba03

SHA512
67d3669d1d0b5a008a9e2aa8c15d4d82c0489625c306cd07d19934928e5f23105a8b1ae675d510d274e29bb1fa9c42079dd506953b137565a45266e3cf048dad

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
38e3afec4186a15f19e3b6f1d5117dd3

SHA1
2bea5eb4181fc68b02d70a5efdca9c155d5d0577

SHA256
8c5d0160d1d680a992b6889115b19d9bacd34f6de4ed14e093f2f01c8f1a1458

SHA512
ac1802a9110b4278db754c3cbb5334469473aab9135be299f8507c8f94b3688a18dfec1e1a0db5f580bbbbd8cc594f0ee1caf99e37bd1bb1514e14ad87ec0156

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
758KB

MD5
b41cda27d428e37d56468119c90e5d4d

SHA1
3b26d9b3b28ce5742c6ceb4fd9314a5fc28d7fd1

SHA256
baee449aeb71f167f9026ac8ecada1e97790dadda8137e9360ed4e1f115e2df6

SHA512
78d2bfe917a3012c3e97ebc096b10d91f471aefc061891b3edc0d8e3b5123c8b7d8972005ea9f7886e722b85f0c762f555c88e4bb10a178f7f7980a2b91b8c22

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
ab3c8da75b2194efc30e92c438d63589

SHA1
feae4e38080ebb56125f432929db84c14606aa58

SHA256
0df440b31d0a03d56f4c92e810b603d03d26e288f82d81e9af1f9b3a426ff132

SHA512
c278c19436a0662a60c27b30de1da580235cb753bea67a90609fc7a453171a665a7e24c5d58523373598926011b168717d9ea010d7bb7bf0132561b14b173232

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e0503cd77c472d3aff8dc07f75acb8e0

SHA1
f1ef1590e991f2a461159a0d50806f48dd5d89ed

SHA256
e88a7f4a1a044b0897b88812e9761d5acb070ec100ef73ff6e55405d462de98c

SHA512
db8fe734eee771ce6757a3090784f97b099cdeb197b6564de9adb05c49cb14af0cc1fc416ec95ba816cd26b0b9eaec7987229bfb2dfffc01e67b1c9305c0dfe5

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
642KB

MD5
8eac18a0f46276def86c43a93ad74fb5

SHA1
909585b95a033cae487708f01268cf76fadc3b7e

SHA256
e42b19d976851f13db65b010ccd032a19fbd3f5464a876daedba85770e9a522b

SHA512
af32238d525157857b2a0db0e8c997d773058a31608e4cf3a2e71560d274730fcafc05d7e95c783689245cab0ac7790441152c94495bb97bdd981f31cd996929

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
2e7650fef15b554ccb0f4c69232da0a6

SHA1
de4da3fdb304b2755496a8b61c39d8a143e0e087

SHA256
cbc6fc65e7e55ff2255fb8d1636372adda7803950e8cc9e33dbbc593479a45b1

SHA512
135bd3b1159faceea76ca52c73cdd591be4c3843e6117ec6a60188eeaff5ad377d3c40f060b15f45f029eb94f2ece5d4da15cafe124044feded291b563b471db

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
669KB

MD5
3711bd0dd62e2c95f8b057b0f2cd57c9

SHA1
c6a5e822f9f48e66d532d79d35cc5bded8146643

SHA256
3dd7f420e73a64d060dcdd1a6337a36b074ac97b487baba8630206510cd596e3

SHA512
36d14b46a28ad96bab3a9fcc9884b5a3d0b0378bb52bd544ce1740e827d670271dbf12ab988b44817c41c2cd5ec058e3e0cba050b03d7357a53772ca28eb9988

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4F97.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP531F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5763.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5B4A.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5ED3.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6181.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/588-355-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/588-342-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/588-343-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/588-344-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/588-345-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/588-348-0x0000000003050000-0x000000000306E000-memory.dmp

Filesize
120KB

Download
memory/588-356-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/588-346-0x0000000002FE0000-0x0000000003028000-memory.dmp

Filesize
288KB

Download
memory/588-365-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/588-347-0x0000000003030000-0x000000000304A000-memory.dmp

Filesize
104KB

Download
memory/592-393-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/592-375-0x00000000030D0000-0x00000000030E6000-memory.dmp

Filesize
88KB

Download
memory/592-382-0x000000001C7D0000-0x000000001C7DC000-memory.dmp

Filesize
48KB

Download
memory/592-383-0x000000001C7D0000-0x000000001C7DC000-memory.dmp

Filesize
48KB

Download
memory/592-372-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/592-373-0x00000000030B0000-0x00000000030BC000-memory.dmp

Filesize
48KB

Download
memory/592-374-0x00000000030C0000-0x00000000030CE000-memory.dmp

Filesize
56KB

Download
memory/592-378-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/592-376-0x000000001C700000-0x000000001C748000-memory.dmp

Filesize
288KB

Download
memory/592-377-0x0000000003110000-0x000000000312A000-memory.dmp

Filesize
104KB

Download
memory/856-178-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/856-176-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/904-370-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/904-368-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/904-366-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1076-411-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1076-404-0x00000000030F0000-0x0000000003138000-memory.dmp

Filesize
288KB

Download
memory/1076-397-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1076-406-0x000000001C550000-0x000000001C564000-memory.dmp

Filesize
80KB

Download
memory/1076-405-0x0000000003160000-0x000000000317A000-memory.dmp

Filesize
104KB

Download
memory/1076-403-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/1076-402-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/1076-401-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1076-400-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1076-410-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1076-421-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1868-87-0x0000000140000000-0x0000000140382000-memory.dmp

Filesize
3.5MB

Download
memory/1912-297-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1912-300-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1984-61-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1984-153-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1984-62-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/2032-174-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2032-94-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2032-216-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2060-394-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2060-395-0x0000000003060000-0x0000000003074000-memory.dmp

Filesize
80KB

Download
memory/2060-392-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2060-398-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2172-0-0x0000000001000000-0x00000000011E4000-memory.dmp

Filesize
1.9MB

Download
memory/2172-1-0x000000000101A000-0x000000000101B000-memory.dmp

Filesize
4KB

Download
memory/2172-2-0x0000000001000000-0x00000000011E4000-memory.dmp

Filesize
1.9MB

Download
memory/2192-420-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2192-425-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2192-422-0x0000000000840000-0x000000000085A000-memory.dmp

Filesize
104KB

Download
memory/2192-423-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/2212-332-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2212-334-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/2212-337-0x00000000031B0000-0x00000000031CA000-memory.dmp

Filesize
104KB

Download
memory/2212-338-0x00000000031D0000-0x00000000031EE000-memory.dmp

Filesize
120KB

Download
memory/2212-336-0x0000000002F90000-0x0000000002F9E000-memory.dmp

Filesize
56KB

Download
memory/2212-340-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2236-302-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2236-306-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2596-317-0x0000000000820000-0x0000000000868000-memory.dmp

Filesize
288KB

Download
memory/2596-322-0x00000000030A0000-0x00000000030AE000-memory.dmp

Filesize
56KB

Download
memory/2596-323-0x00000000030A0000-0x00000000030AE000-memory.dmp

Filesize
56KB

Download
memory/2596-333-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2596-313-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2596-318-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

Filesize
88KB

Download
memory/2596-315-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/2596-316-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2820-46-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2820-47-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2820-95-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2824-303-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2824-299-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2840-177-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2840-159-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2856-72-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2856-33-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2856-34-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2920-428-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/2920-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2920-55-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download
memory/2920-432-0x00000000008E0000-0x00000000008FA000-memory.dmp

Filesize
104KB

Download
memory/2920-433-0x00000000008E0000-0x00000000008FA000-memory.dmp

Filesize
104KB

Download
memory/2920-21-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download
memory/2920-427-0x00000000006D0000-0x00000000006EA000-memory.dmp

Filesize
104KB

Download
memory/2944-308-0x0000000002F80000-0x0000000002F8C000-memory.dmp

Filesize
48KB

Download
memory/2944-310-0x0000000002FA0000-0x0000000002FB6000-memory.dmp

Filesize
88KB

Download
memory/2944-312-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2944-309-0x000000001C490000-0x000000001C4D8000-memory.dmp

Filesize
288KB

Download
memory/2944-307-0x0000000002F40000-0x0000000002F4E000-memory.dmp

Filesize
56KB

Download
memory/2944-305-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2984-442-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download