28c93deb36270cb08e80cae5722248b135951a3041e11dd4b8aa1828a4c1cef5

Analysis

max time kernel
34s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
Size

5.3MB
MD5

499fae01b3b8e6076e712d001b7ae7d5
SHA1

b849843a762a1ba020fb961bbe6b935922317df3
SHA256

28c93deb36270cb08e80cae5722248b135951a3041e11dd4b8aa1828a4c1cef5
SHA512

f2fa54e3e9aef2381e5cb87d5d767e6b9fb3e4a80f8d9748f15e6194c4da79d7c85807d56e3f9404efba94325ffe40a287974917a0055b53cd7c41dc0f8a5691
SSDEEP

98304:SLXClnwPWrDSVYg5MHKO6HCfyAo77wRGpj3:ZlnwPihg+ByAo/F9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 51 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exemscorsvw.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
480
2464	alg.exe
1780	aspnet_state.exe
2280	mscorsvw.exe
928	mscorsvw.exe
2968	mscorsvw.exe
3024	mscorsvw.exe
1956	ehRecvr.exe
1564	ehsched.exe
2280	elevation_service.exe
688	IEEtwCollector.exe
448	GROOVE.EXE
808	maintenanceservice.exe
2056	msdtc.exe
1540	msiexec.exe
1916	OSE.EXE
1304	OSPPSVC.EXE
548	perfhost.exe
1224	locator.exe
1548	snmptrap.exe
2052	vds.exe
3116	vssvc.exe
3212	wbengine.exe
3276	WmiApSrv.exe
3364	mscorsvw.exe
3440	wmpnetwk.exe
3632	SearchIndexer.exe
3692	mscorsvw.exe
4044	mscorsvw.exe
1592	mscorsvw.exe
3744	mscorsvw.exe
3972	mscorsvw.exe
3968	mscorsvw.exe
3312	mscorsvw.exe
992	mscorsvw.exe
1628	mscorsvw.exe
2100	mscorsvw.exe
4084	mscorsvw.exe
2276	mscorsvw.exe
1692	mscorsvw.exe
3912	mscorsvw.exe
3668	mscorsvw.exe
3804	mscorsvw.exe
3356	mscorsvw.exe
2704	mscorsvw.exe
3820	mscorsvw.exe
3940	mscorsvw.exe
3468	mscorsvw.exe
3900	mscorsvw.exe
3416	mscorsvw.exe
2032	mscorsvw.exe

Loads dropped DLL 14 IoCs

Processes:

msiexec.exe

pid process

480
480
480
480
480
480
480
1540 msiexec.exe
480
480
480
480
480
764
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

Processes:

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exeGROOVE.EXEmsdtc.exe2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exeaspnet_state.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\238c7d5aaad3ae89.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5CF72A45-AD68-472B-BBFF-38A947BD74EE}\chrome_installer.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

Drops file in Windows directory 27 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exe2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exemscorsvw.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

ehRec.exeehRecvr.exeOSPPSVC.EXESearchIndexer.exewmpnetwk.exeGROOVE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{2A1BD28D-4A7B-4C34-BCA7-609975E1606D}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{2A1BD28D-4A7B-4C34-BCA7-609975E1606D}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

chrome.exeehRec.exe2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

pid	process
864	chrome.exe
864	chrome.exe
1624	ehRec.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exechrome.exemscorsvw.exemscorsvw.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2044	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
Token: SeTakeOwnershipPrivilege	2504	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: 33	2808	EhTray.exe
Token: SeIncBasePriorityPrivilege	2808	EhTray.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeSecurityPrivilege	1540	msiexec.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeDebugPrivilege	1624	ehRec.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	2968	mscorsvw.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeShutdownPrivilege	3024	mscorsvw.exe
Token: SeBackupPrivilege	3116	vssvc.exe
Token: SeRestorePrivilege	3116	vssvc.exe
Token: SeAuditPrivilege	3116	vssvc.exe
Token: SeBackupPrivilege	3212	wbengine.exe
Token: SeRestorePrivilege	3212	wbengine.exe
Token: SeSecurityPrivilege	3212	wbengine.exe
Token: 33	2808	EhTray.exe
Token: SeIncBasePriorityPrivilege	2808	EhTray.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: 33	3440	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3440	wmpnetwk.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeManageVolumePrivilege	3632	SearchIndexer.exe
Token: 33	3632	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3632	SearchIndexer.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

864 chrome.exe
864 chrome.exe
864 chrome.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

SearchProtocolHost.exe

pid process

3860 SearchProtocolHost.exe
3860 SearchProtocolHost.exe
3860 SearchProtocolHost.exe
3860 SearchProtocolHost.exe
3860 SearchProtocolHost.exe

pid	process
3860	SearchProtocolHost.exe
3860	SearchProtocolHost.exe
3860	SearchProtocolHost.exe
3860	SearchProtocolHost.exe
3860	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exechrome.exe

description	pid	process	target process
PID 2044 wrote to memory of 2504	2044	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
PID 2044 wrote to memory of 2504	2044	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
PID 2044 wrote to memory of 2504	2044	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
PID 2044 wrote to memory of 864	2044	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	chrome.exe
PID 2044 wrote to memory of 864	2044	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	chrome.exe
PID 2044 wrote to memory of 864	2044	2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe	chrome.exe
PID 864 wrote to memory of 2744	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2744	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2744	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2640	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2488	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2488	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2488	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe
PID 864 wrote to memory of 2756	864	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_499fae01b3b8e6076e712d001b7ae7d5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.168 --initial-client-data=0x198,0x19c,0x1a0,0x194,0x1a4,0x140431148,0x140431158,0x140431168
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65e9758,0x7fef65e9768,0x7fef65e9778
3⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:2
3⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2164 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:1
3⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2172 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:1
3⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1224 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:2
3⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2780 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:2
3⤵
PID:268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3344 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2904 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:1
3⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2848 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4216 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:2260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:3352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1401f7688,0x1401f7698,0x1401f76a8
4⤵
PID:3524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:3576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1401f7688,0x1401f7698,0x1401f76a8
5⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4208 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4128 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3948 --field-trial-handle=1192,i,17358297990270089019,14521247501292602974,131072 /prefetch:8
3⤵
PID:1628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2280

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 240 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 258 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1e8 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 248 -NGENProcess 258 -Pipe 234 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 238 -NGENProcess 264 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 268 -NGENProcess 258 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 250 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 238 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 258 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 238 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 284 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 294 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 238 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f0 -NGENProcess 248 -Pipe 210 -Comment "NGen Worker Process"
2⤵
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 24c -Pipe 234 -Comment "NGen Worker Process"
2⤵
PID:660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 254 -NGENProcess 1f0 -Pipe 25c -Comment "NGen Worker Process"
2⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 268 -NGENProcess 1e0 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 1f0 -NGENProcess 1e8 -Pipe 274 -Comment "NGen Worker Process"
2⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1c8 -NGENProcess 1e0 -Pipe 24c -Comment "NGen Worker Process"
2⤵
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 2a0 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1bc -NGENProcess 1e0 -Pipe 23c -Comment "NGen Worker Process"
2⤵
PID:3412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1e0 -NGENProcess 248 -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 254 -NGENProcess 214 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 270 -NGENProcess 214 -Pipe 280 -Comment "NGen Worker Process"
2⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 2a4 -Pipe 264 -Comment "NGen Worker Process"
2⤵
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1e8 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
2⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 26c -Pipe 28c -Comment "NGen Worker Process"
2⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 214 -Comment "NGen Worker Process"
2⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 248 -NGENProcess 26c -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1bc -NGENProcess 260 -Pipe 238 -Comment "NGen Worker Process"
2⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 248 -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:3336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
2⤵
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2ac -NGENProcess 260 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 290 -NGENProcess 1bc -Pipe 248 -Comment "NGen Worker Process"
2⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 2c4 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 26c -NGENProcess 1bc -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1bc -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 260 -Comment "NGen Worker Process"
2⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 26c -NGENProcess 2d4 -Pipe 1bc -Comment "NGen Worker Process"
2⤵
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2c0 -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2dc -Pipe 26c -Comment "NGen Worker Process"
2⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b0 -NGENProcess 2c4 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 290 -NGENProcess 2e4 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2cc -NGENProcess 2b0 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2ec -NGENProcess 2e8 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:3416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2ec -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:3336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ec -NGENProcess 2c0 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:3472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2b0 -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2c4 -NGENProcess 308 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2f8 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2dc -NGENProcess 310 -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2dc -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c0 -NGENProcess 2fc -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2b0 -NGENProcess 310 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:3344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c4 -NGENProcess 2fc -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 308 -NGENProcess 2fc -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 318 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2b0 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 32c -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 328 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 328 -NGENProcess 32c -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 328 -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 33c -NGENProcess 344 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 308 -NGENProcess 320 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 318 -NGENProcess 34c -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2c4 -NGENProcess 320 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 348 -NGENProcess 354 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 308 -NGENProcess 358 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 35c -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 344 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 36c -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3c4 -NGENProcess 3a8 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3a0 -NGENProcess 3cc -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c8 -NGENProcess 3d4 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c8 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d4 -NGENProcess 3d0 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 394 -NGENProcess 3c8 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3e0 -NGENProcess 3d8 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3cc -NGENProcess 3c8 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3e8 -NGENProcess 3d4 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e8 -NGENProcess 3cc -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3c4 -NGENProcess 3f4 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:3948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1956

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:688

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:808

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1916

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1304

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:548

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3276

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3860

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
2⤵
PID:3164

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
6a906f6a64c422f427c926012744e0f3

SHA1
4c787a1537fda42912ded088a84a4ff63117ebbb

SHA256
02538e3b6be340b97f37dbddbac83b1e34f8cc621efc6dbfea0e18da190b4f02

SHA512
ca3ddf109a36ac625f5af6e2e94bcd1605c504c8882a7eb929ebd40694439e479f5a1cc430acab7b6253aa3ff60e55f49d57a6f6d2667afc564bbe9bc8b842b1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
56ce9d5857703b2226ce78e9e2d2d1c9

SHA1
da626a0c72a9ddeba90b2db51b51893dfd2d6556

SHA256
de191ff1177d990a68f382942695dbe3ed21364499e24d65b867f47fdbccd3d1

SHA512
aa3b108df27ec1767791e2dc93597a567ae4e39c1b6b493780df09c7f149bdae01e600528dbb7220d8f3a2fb2b6d77933a480213aa349f14ef713d94b2ce3a99

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
135ea1d67476967e2ab835d5c933ce96

SHA1
f72928da9c145784fdad7c2e899c1a3b6cd31757

SHA256
3341c668a2754812fd98ebb4482c72757793fcd8401bae65f3e8c7644f5e665f

SHA512
3d7693ded50eb2ec7e7f9ebbc3f5f136545022de23eafdf15ec4539fb7358f76fd67927e7a3fc7dcf2006bb50785f0bc0a012098bd5ab3de03200a7dc6627615

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
60f120d52b06d2a488f7fe9d7bd78258

SHA1
28226539d3a2a52674c2f16e0b65a8462355a3ef

SHA256
65072d2f6de0fdd79fe02608c3dde12832d3f808a49bcfa37ba2203d288f8a3f

SHA512
40c00d0940d4e957a4c09f58d78d21c97aba915ba069680eb76d15867787087c94e16fb0752dd0833769b2bab31c811abc5da05bd1a8921b8417a7fe260250b9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
7a75322e6877bd5cd57cbf40ba3ccf65

SHA1
2f63a73392e863fda6ab0f6025f6b39f7bd525c1

SHA256
0e52dfa4a4fedd4aa23f57e17625dbe0f462e1cc8e4b5c470dcfade7dcb233c9

SHA512
b42a5105f7d0e84282d2411a0175d64de6513f32dc5abc916f5551d7bbe791a302120419b226497f8cf9de7e718a0fdac09a7cd32db0ee58e57e51cdc102d0b8

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\61e2897e-6f38-42d9-a7e7-0d1e0a32dd64.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
e26ebdf5c492ec811eaeb5873bb4f220

SHA1
41b92a055555a967b7343b4cf581131b5db00cc2

SHA256
894478a123ab067893ba089c4a75c8addfb665aaca3aabba5e88e03d6b94984c

SHA512
7436e71db57ac8dfb2eb0290d328e38ae405bbda2348d4bbff8275993285a8758886830834045d86acdf5f6b7578ec54ab60a4fe5d851867ad3a046983790526

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
9ded9f4bcb8d0ad51b483314d5d1d129

SHA1
3206c547210651a9d76b8f3f35d76f587bb6872f

SHA256
2a1b2b269e2f4e3cb058a12e442af2b0942166b85e0de6de880178bf96398abd

SHA512
4e300bb50f3cf0345b40bc0b0e1696d788defa3f1b22c0c1a9accba19eb2c2181f8efae67f26dec10df36a5b8e0d46a7cf944c83b0f6bd730820227edacbf106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
89f4922a7587a9f92f626d7868051285

SHA1
9419dc4f12c1cafefe5a1a12997cd4c0ae5d6702

SHA256
16d4c209625f423200c0a930685ec659bdc58c7e5c7848d0008979311b945ce7

SHA512
009d7b6d168824bb8c8c15f256502673af694fec8b7fd3761567bddcb0c40500d77de42c13313fa33e7848d8380d097cdc4c14dd21e71023572de5508127f9cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
78f140499d96e7f51c84f7c18b1f9250

SHA1
2f645a68937a9e1dc03bfc9b18a008678247b2ec

SHA256
b0241df5ed2e1fbe5431db85f6f0e9614ce09fc8bb982608a7a6adcb581a2559

SHA512
ee67466998306400b1df2d719e869890aceb6bf4bc963f6063a815e3d9812b22af054a30061dc34bd041a61a8f4a6d084b0b12d8e7e9e9194ff790d3a6a8334a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
10a75792ea3d54be334a98e691ef2ee2

SHA1
3f64d3d90a89fc844379968bf7afcb7940b17277

SHA256
4cc3936d4626f8ce2fd03c1700ab9934b2e9ded51b6ab1eb876bf3d6a82786e1

SHA512
83f7d1a0a5e09f31d8058ecf7808e99f23511aa4e160d94a631524e9832c733fa27da2be551128995ba76dc6ff1cb950504883f0c72c5c3ab798c3fedec1ec62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
e05505295cdcbe31f99d210c03875d87

SHA1
0ce23eebe61b3d43f1d1c932eb22be2db7118949

SHA256
f3e0c1c6bf014d5be15b91ec143b6186a3c94dafb6619edb7087a9b74e5fd64a

SHA512
6f19ae61bd0b86e13acbca2641fbfa3d84ddb9a06fd4e629304d2ae18dc6ddabfee97362d5f4618be868877bea75e3c1020d9db7a389c77d25316e073178888a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
9KB

MD5
e3d5c5ff20884be669a4e63d51f7175e

SHA1
43bd8c5489aaa5e21a72c53b46930baa296ad6b2

SHA256
226a1a5772f0be982f2c21a712a4e8455111bd081cf931dd2cdc1c6ea9e020ab

SHA512
2f93c5402b7355aa56526d0bc078749999fb349914c5bd2c8929d905071c8807c9c5155a0519f12304c350b92766ebe0fa22504b37e36bc4c893e4540a0d2c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir864_55004360\59d0d267-5eb2-4d36-b063-bbb36f8ddc2f.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\238c7d5aaad3ae89.bin
Filesize
12KB

MD5
d642668f7452b44f9dffb7e388fbc183

SHA1
d063f65c95f5c53f34be91979dfc0f0c901525a9

SHA256
e730102096b7464b182779672fdb38ac6eb2b745c86c454c2ba9beec588199c2

SHA512
c008ec387ddcc4cdce7cc527765b34ac741479a49da725b4e8d3d6ae3e569fdd805c3961e6ce26acb9cebfca4edefe578978151dfa4cd383d9791db2a6276937

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.4MB

MD5
49f8c7deb46514cde68b7469a257ac88

SHA1
9296b6a1bb0a9ad408670cc52c53683ed97c6884

SHA256
fc91bb9e4c637ceee68725208c9996672595a82138f500c8daff671c1bc1d3f6

SHA512
50c337bb86a44643f634ddfb7f45de3a7fd777c0be0fa377ee62c50f203df6ba73301c230cd6213dc4ccde57d4ffe5c82acec6e85be6421919ca008ab549d9ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
ef64bf2a97de41666183ed40ae002833

SHA1
667f24c7b289c28f6b2bf14029454dd1c12a3532

SHA256
855bf7253a1a756e413066ebafbfab1abd8c7eba2dba2ff7a9e50b96e62d28bf

SHA512
c6bfc1c3052264a2fde39dd1662b75a7143d6034abf3d82433923f39c01a05833dc0f32871c6ce81a66936fdbebed0cc04f4c4646a079454ce7425765cd279e7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.4MB

MD5
d70d37949e39df24f37a6b220ed012dd

SHA1
b0d470e32f214994aa3327dd401ffea4e9e79762

SHA256
096628f99a6c0a44c4368076b90b077d958d6dd63327d5a0948f37308d1c615b

SHA512
b379d0185255aef8a7bc3cd0e20eb8315b3b189e2b8b5c59b91a38e6d0c7188ab71627ebae65ed29138cf746def06785110769c909956e2f2f996358487b30c5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
048b007463241d64798b1241c52aeb31

SHA1
886e44a38d3e820caeabccc6b1f9ab42b5430681

SHA256
b19c9cc9d81966190b00ba15bfbbe831244a98f630b841e5facce242ce70cc63

SHA512
4059efe53054d33a10e07c8d08689477ce8249e6a26f1948c3089078ddc0ca33233d46881660d0dc69449cfcfc24c2334872778b5335a9c6bd839aaee5a2ee83

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
53d6d71fc04b111027a10551993789ab

SHA1
1810704e6cec0b9949b29ae1951dc6325d109907

SHA256
e7b8383d2ab1ca17377e586e2ed5ec6b1f3a1c7435b37581714166f75f151cea

SHA512
170797af96593781bb37ded3355fd32bee5757ec73be8687e18e4e09ceac3ba48055c2a1b0fc7085bcd8111f400f241949840da6b44c6b3c37edc94ffb1f32b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.4MB

MD5
25540b636842ac5ac11e34e410f897e0

SHA1
c135544e2039c91355e99f9c9ea823739132f328

SHA256
bac778cb0dbc8f862c825d6bac5938cfe6bcdbbae4d61f5550f61346dc5decff

SHA512
d49f9020f2f813c8d18069f92d7d168da8f9606a7781a39ea9c64a6685ad3a607abcc7339fc959244cfc05f9d27bcf3ac49b971b7630c04c56ad0217b4987785

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
f19a9f5f0420883901a6a1381e62c3a6

SHA1
2797bd490f43c39b90bc28c54d01a8115ed67c1a

SHA256
4ed2759aeac5ce822446df69f77e44f51257f892b2fa16a2b3773e8e45011086

SHA512
38973d9b86b095d87c8b388abeb8039f05c31e22a459ed6aa3572ff1f6d04fedd78445eb02a4411ea1590110ca0f061c522860c068fbf82feff644b48271ba10

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
b911104c28dc8302f8ccc6c4f4eede60

SHA1
de32c07200cd4da2c6b606bf0017430698aa1d23

SHA256
fa6db372d7b6d3397a3d087398d681dc9d9a5ddcd2feb7db5df021daef0161af

SHA512
bfa433b4191d05e8a20baec3886fa0a6b0532823989c3c3856af7217335e59b9d1064e5a68f41bec12cc1956f7eb0abad304ea2918148117547b4452e805691e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
1d5073ab2807e92d9306184820b2b62a

SHA1
9ca7d0a0d8c66ea9f4ffd6e2e98849ff3d35dc67

SHA256
d30540951f1e35d84b7b5f2137aabf7097885a3675501b64227b545dd85a51f8

SHA512
dec7e332a917e904e2609ffa189e0d7f70219718e2fb084dd442fed38b6c2ac8ba4ebb5fe83ebac93913b5b0b6c0ba394ef08ec2e3c9ae59cef2c84f5b341cb8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
bd9c2e92db287a436370419ec24faa17

SHA1
a80b0c14b9b9a7ea27f0b988d565062e71a11ee2

SHA256
da53b3b642176bf8827ec3dd09186ad5bdeb465784cb896609c5a6b98308ecd1

SHA512
c6196925214ee2241135759e575f0d5b7c18f00e3a7b381aafc44990b7107b014af4f721dec3fcf6e3de43485ecb5ad439df17e3e3cdfa234ee1401ab79c9ea6

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
1.4MB

MD5
df6e97d837335e463f3e8d0d07ebd147

SHA1
b92746796b5ea5959c2a02df372d66f87a9631da

SHA256
fc4f0233a617e598a4d1ca1d4ccd3915de6c9fc4451f66a305b945b473a4cf4a

SHA512
62f07458070611b6b8457bbf2a03d96413fabccd79856c0153b7e9bd9d483917cadd9709e00905f8c756224ef9eea63cbe71c4c9c798545357f408e1926a93a9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
ed50494cae3d8b472f7d12532679ecd5

SHA1
cc4719b926552aef456ef1a2676edfdf04588d0f

SHA256
c06fdb8d92b195df516a71b0b8aa70a2e5e2f907042e25b3b12ed67165ca3082

SHA512
a9c2745891cd57b062fe6e6a4c04323ec3520510c7548af4407fe8bcc5bc51584ded6d0c63cfe3543ad640622a961ff24bf8b377263cd9a42d077fe8d7ace4b8

Download Submit
C:\Windows\System32\msiexec.exe
Filesize
1.4MB

MD5
a5c1d3fed17297113e3b20a2e320defd

SHA1
4204abd2c775fa6393338f46077aa6e5362237e9

SHA256
14068e8c7ed3d45998c1f16bc0854a9ea7f762effdf8863e2a6dfd81c9c4234f

SHA512
384dcbb37fcdc08846453678e119823b7b71fc1cbee360f470187a537d11177476ea03d15b8b9e2e2b442d54a8ec56bb5070a3c361af070bd002cfa1ddcdbffc

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
3749d36ae83861745472fa33af9c701d

SHA1
0924caaf978cbdb5612e0b1dc8c01af697c71591

SHA256
f23f6d4f654e6f23d932f867fddb302f5edda0591974b8e57da7c4cfb0338047

SHA512
808bcb3f0d9541004d6deb753eb0e9fddc35163824f7cd0204a315edce89a658b2700900fc76f2793feb7ce9ce03772b6ddf7269d85bcc8c4560d9de036c4504

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.8MB

MD5
d1195472f6f129f55b16b940a5580861

SHA1
7a33764907b09500af06ac46f0ad967f973b6491

SHA256
83f69f2fdc06bab4f365dccd893f410fc435fb2c5bddc8cfd3036a3c062e74b8

SHA512
80ddb65d3f25fcc73261575f7aef3cab1df086de506217d461b96d8534a19c2eafe368268339fdc1034dac2286157715c50b9b75a6234c14a85c1205d06c5b8c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
f745b3aa1f622885c36d79e8aede5708

SHA1
387f0e440bf9f510362a7947ce7fc420b7460d6d

SHA256
45cb6d63809ffd054f1b558b01bf55ebfc474e7a938397e204369f432b8b095a

SHA512
b3f410bb12b734c605de515059a021b9cf4f62b5c6c889c3c87dafc288dbf6a26c4125554e0bfee41eb0f112756d3d4ec01ff9ee808225b9d7ae8865db509e2f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
b4c91795cf2414d4181cbd9c3d720c75

SHA1
703140e667566944df96dbdbaf927ee2b91adf49

SHA256
bbc426565857835f51c609d99ec0bd66ea52fa2e73c46c7b86d1a06ec30dcbb8

SHA512
333ca476cdc043a49472b1785bd3786818bb6749795612242cf8ce613f6d34111355b0af81249b3eb1401af8b390eb21169909a4fdf25ced3fe6235a49b95869

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1872661da45fa8192b12030711f0e1ad\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
ee4748c0545f5f6674a51dc029c31dc7

SHA1
8c788b755de3bccc71e555534106224e9cdca09d

SHA256
e313da557df7129bb330d28f20e1ed3bf02162f066ed70564e797d6d9977f5ed

SHA512
c95d363c17a86c9c701a3e5c3210a0a5acdb4fb0d0e2d69ab9b1d2007cac59e239b8201c11819b6c9886902dc7e018010595a1b09af33efaa71250fe13e7e5bc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\677f702dae85e9e71dd263389b314e4c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
707dfd12050367afa559a46fb9f58cc3

SHA1
5de2d34f0244ea30a7cee2ce057911d496b275ec

SHA256
c573fbe5d6d82ded4bf0b6e009ec70ce0deb2b6a17d071941d4be4d7a533c4b2

SHA512
09129b72022fdd6853ab271997dfe452df1fecc718b07b334559c481f5524c9cbb9a36f3f51631046332b5841012d273882b8ce5e95c6d38a52b7634dc15e3b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b5e4f655828029ffd0389bace9944d04\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
a6b55eea3f8ac04f5d7394df9e5eb978

SHA1
72746a49b47ca116f20864a3b8ee9b09a4687f02

SHA256
c49303feacc37fadb43e115943fbad769b18c6f7644d439a553fae836ef9e54d

SHA512
be83465328fe853bc318a38322f00b296ef41e7b6b3a8a90d46eea5298aea1fad5b45e218a655b619043b72c9371feb7f7b4ec8ece3b7ab5db35f2361a109520

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d1a11ed37ad46bb9c768d236c9303fd6\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
d6145d4dd049d3142f0f41c723a32ae7

SHA1
459118b24fac2b4a70b23007deefbd696a609600

SHA256
c5a402f3cc519e94359db897a2be39c70e23dc0498a2b91dfbbc26b27a247e9f

SHA512
2f134b0146f772425e27b63ca4bfbdbf1cf40576c0c0e052a5f28278f1018cb9eeaa92f6e818116ebf6a4991fd769f19b8d2c998ffec033c7a349a2823b6ef97

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\??\pipe\crashpad_864_JIVTNXBPEWKMLCCK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.3MB

MD5
617e767371c4a7af54bcf295e29a6700

SHA1
bd93c366159f40b0707ab61e4a71bdf6d1e3e045

SHA256
779ac0ad1696743ac94ed363b534f74ec5f192cb4f86d697d7757a1039baf591

SHA512
71b3afb2e5c9ad9b51749f182c236f105fc38ba7e7f13ecebdd196b563968dee50bbcf72b49cf95c579bfe598201d2953da1ae39f7b54fced386e5dda8f1f25c

Download Submit
\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
158c95b2cfb47f1c3483069496eb8677

SHA1
34b1aee4d91b6975e5e38ce78c867f87f49aa3e6

SHA256
2b711b8082823ff5e347429d10c3b701af82661be35dc9888f214d792d09c06c

SHA512
a60dec48314fdd0581b66306d11457064dabbc4c9e87f63b0803ac7a781fbe6bf307ee00464477f516b299eb4dc1945d7a495958f397d8253b0110f2188a532f

Download Submit
\Windows\System32\alg.exe
Filesize
1.4MB

MD5
1917276c83f39ce5b6dc9075f45ca9b6

SHA1
3ddfca453b79c7caf150ef3e08c5247482933c38

SHA256
7b87d2590d74b3270aa1cb8225d35b00daa8617bf042165523fb92d863628505

SHA512
99e4c5d65bf2e30095b7aa6bb7bdf197b57367567841ef2491a2f01560f6dff68ddf61b8f112a2b649e06554d8774e673b8e3cf3c5c80c087eb6bc7686efeab8

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
840034ee0546a823c982f80916e6cb5a

SHA1
bfe0e6ededcb08591222394499d4d6ed6c611b0e

SHA256
85b61bab70f8ac6a43ace13a0bf5d92f04a8a1ef28dc5f76cb51cc5a6fedeab1

SHA512
78f7f567b033cdf714c85546d9f39f6f363ac8eb294eb89bb89a9d2cbc4cb41e032121c937714fd6167f4a73ca84696d81fdfa0b4612761279b0c517aa08b19d

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
06fe5dc415b2e2e78306e07eb5839baf

SHA1
0fb3fe299c6bf614e5d8803e7219dff9c85685db

SHA256
1bbe1a0963a0af337edd7f680ca78930de46263cd62f349b94db20d938fc4b2f

SHA512
820e9ade5827685e9f5f65ebca88756a6db16adefdd266dfc0507e1b8d65a06d01070d2522611037504b78b28176b4597221d3de6ca6bfacfe05509c1f0480e5

Download Submit
\Windows\ehome\ehsched.exe
Filesize
1.4MB

MD5
098c82e11a110998f11beeaaec07e94c

SHA1
d0ade37ed1058bc80eb3e3db04d931bb3ab552fb

SHA256
05bffc002e1b91804a24b490352098d90276b64886e8d7a24be5f41cdb8f0be8

SHA512
9cbe77c8289494aec6522f46e930b20900eefc61887af9a6640611f0fb16b63472bdb999c7d7db24f9a7bf4789294f2b1884de43a969d3dddf6482d3d96dd35a

Download Submit
memory/448-245-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/448-329-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/548-303-0x0000000001000000-0x0000000001207000-memory.dmp

Filesize
2.0MB

Download
memory/548-747-0x0000000001000000-0x0000000001207000-memory.dmp

Filesize
2.0MB

Download
memory/688-324-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/688-1076-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/688-231-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/808-264-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/808-256-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/928-116-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/928-110-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/928-121-0x0000000010000000-0x0000000010218000-memory.dmp

Filesize
2.1MB

Download
memory/1224-307-0x0000000100000000-0x0000000100206000-memory.dmp

Filesize
2.0MB

Download
memory/1304-290-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1304-692-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1540-271-0x00000000005A0000-0x00000000007C3000-memory.dmp

Filesize
2.1MB

Download
memory/1540-268-0x0000000100000000-0x0000000100223000-memory.dmp

Filesize
2.1MB

Download
memory/1540-369-0x00000000005A0000-0x00000000007C3000-memory.dmp

Filesize
2.1MB

Download
memory/1540-357-0x0000000100000000-0x0000000100223000-memory.dmp

Filesize
2.1MB

Download
memory/1548-326-0x0000000100000000-0x0000000100207000-memory.dmp

Filesize
2.0MB

Download
memory/1548-844-0x0000000100000000-0x0000000100207000-memory.dmp

Filesize
2.0MB

Download
memory/1564-907-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/1564-206-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/1564-299-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/1780-243-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1780-84-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1780-92-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1780-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1916-282-0x000000002E000000-0x000000002E226000-memory.dmp

Filesize
2.1MB

Download
memory/1956-184-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1956-288-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1956-1100-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1956-176-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2044-26-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2044-10-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2044-6-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2044-23-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2044-19-0x0000000002680000-0x0000000002BE1000-memory.dmp

Filesize
5.4MB

Download
memory/2044-0-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2052-330-0x0000000100000000-0x0000000100285000-memory.dmp

Filesize
2.5MB

Download
memory/2052-875-0x0000000100000000-0x0000000100285000-memory.dmp

Filesize
2.5MB

Download
memory/2056-350-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/2056-260-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/2280-149-0x0000000010000000-0x0000000010210000-memory.dmp

Filesize
2.1MB

Download
memory/2280-306-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2280-96-0x0000000010000000-0x0000000010210000-memory.dmp

Filesize
2.1MB

Download
memory/2280-97-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/2280-102-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/2280-224-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2464-36-0x0000000100000000-0x0000000100215000-memory.dmp

Filesize
2.1MB

Download
memory/2464-230-0x0000000100000000-0x0000000100215000-memory.dmp

Filesize
2.1MB

Download
memory/2504-17-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2504-20-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2504-18-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2504-11-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2504-201-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2968-1169-0x0000000002160000-0x00000000021C6000-memory.dmp

Filesize
408KB

Download
memory/2968-1159-0x0000000002160000-0x000000000217A000-memory.dmp

Filesize
104KB

Download
memory/2968-1163-0x0000000002160000-0x000000000224C000-memory.dmp

Filesize
944KB

Download
memory/2968-1164-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/2968-1165-0x0000000002160000-0x00000000021E8000-memory.dmp

Filesize
544KB

Download
memory/2968-1166-0x0000000002160000-0x0000000002184000-memory.dmp

Filesize
144KB

Download
memory/2968-1167-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/2968-1168-0x0000000002160000-0x000000000218A000-memory.dmp

Filesize
168KB

Download
memory/2968-1157-0x0000000002160000-0x000000000216A000-memory.dmp

Filesize
40KB

Download
memory/2968-142-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2968-1161-0x0000000002160000-0x0000000002204000-memory.dmp

Filesize
656KB

Download
memory/2968-270-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2968-1160-0x0000000002160000-0x00000000021EC000-memory.dmp

Filesize
560KB

Download
memory/2968-1162-0x0000000002160000-0x00000000022FE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-1158-0x0000000002160000-0x000000000217E000-memory.dmp

Filesize
120KB

Download
memory/2968-140-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/2968-135-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/3024-163-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/3024-161-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3116-338-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3116-904-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3212-351-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3212-972-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3276-358-0x0000000100000000-0x0000000100235000-memory.dmp

Filesize
2.2MB

Download
memory/3276-985-0x0000000100000000-0x0000000100235000-memory.dmp

Filesize
2.2MB

Download
memory/3364-370-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/3364-548-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/3912-876-0x0000000003E00000-0x0000000003EBA000-memory.dmp

Filesize
744KB

Download