blustealer | d7604717f253c708b811bbc895b9baeb3f9060161bfcfc7791e42855ac3f1927

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-05-2023 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

2a67b3a60052a5c4a7f5a799feb3e95a
SHA1

632f937a310a689f8cc71dad111a6a0074486646
SHA256

d7604717f253c708b811bbc895b9baeb3f9060161bfcfc7791e42855ac3f1927
SHA512

cdc3fbefdce5c55855ca8c1d3a0e08d49430d518ad01812636b84dbd97835ef528422dde80459f14f24113f4c482ae599a6db2a88990aeb291d15d935d80785b
SSDEEP

24576:pxgsRftD0C2nKGH0Djsf9nz4mloFQnpXUMPQDR6q79dA:paSftDnGUDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
1916	alg.exe
596	aspnet_state.exe
1704	mscorsvw.exe
316	mscorsvw.exe
2020	mscorsvw.exe
1280	mscorsvw.exe
1964	dllhost.exe
1276	ehRecvr.exe
1712	ehsched.exe
1756	elevation_service.exe
608	mscorsvw.exe
1908	mscorsvw.exe
1124	mscorsvw.exe
1632	mscorsvw.exe
2096	mscorsvw.exe
2200	mscorsvw.exe
2332	mscorsvw.exe
2428	mscorsvw.exe
2520	mscorsvw.exe
2632	mscorsvw.exe
2724	mscorsvw.exe
2820	mscorsvw.exe
2912	mscorsvw.exe
3012	mscorsvw.exe
528	mscorsvw.exe
2072	mscorsvw.exe
2312	mscorsvw.exe
2368	mscorsvw.exe
2264	mscorsvw.exe
2588	mscorsvw.exe
2516	mscorsvw.exe
2748	mscorsvw.exe
2836	mscorsvw.exe
2896	mscorsvw.exe
1764	mscorsvw.exe
1936	IEEtwCollector.exe
2092	GROOVE.EXE
2212	maintenanceservice.exe
2352	msdtc.exe
2440	msiexec.exe
2464	OSE.EXE
2480	OSPPSVC.EXE
2604	perfhost.exe
2332	locator.exe
2684	snmptrap.exe
2740	vds.exe
2876	vssvc.exe
900	wbengine.exe
2992	WmiApSrv.exe
608	wmpnetwk.exe
2916	SearchIndexer.exe
2096	mscorsvw.exe
2508	mscorsvw.exe
1308	mscorsvw.exe
2780	mscorsvw.exe
1944	mscorsvw.exe
2140	mscorsvw.exe
2188	mscorsvw.exe
2388	mscorsvw.exe
860	mscorsvw.exe
1308	mscorsvw.exe
1596	mscorsvw.exe
2680	mscorsvw.exe

Loads dropped DLL 52 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2440	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
760	Process not Found
1944	mscorsvw.exe
1944	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
860	mscorsvw.exe
860	mscorsvw.exe
1596	mscorsvw.exe
1596	mscorsvw.exe
2272	mscorsvw.exe
2272	mscorsvw.exe
1652	mscorsvw.exe
1652	mscorsvw.exe
3000	mscorsvw.exe
3000	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
1356	mscorsvw.exe
1356	mscorsvw.exe
1832	mscorsvw.exe
1832	mscorsvw.exe
2356	mscorsvw.exe
2356	mscorsvw.exe
2136	mscorsvw.exe
2136	mscorsvw.exe
584	mscorsvw.exe
584	mscorsvw.exe
2492	mscorsvw.exe
2492	mscorsvw.exe
2636	mscorsvw.exe
2636	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
2216	mscorsvw.exe
2216	mscorsvw.exe
1968	mscorsvw.exe
1968	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\vds.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d02a9bc7693df14.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1192 set thread context of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DAC84675-37FF-4FBE-B599-BD322F822B5F}\chrome_installer.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP12B7.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP33D.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E89.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP346A.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{60A70DC9-6D72-4B1D-947D-27EF1C4ACA98}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC7.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{F615EE08-53DE-4FCB-9518-F0A9AA91714A}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d035b0ff3688d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1844	ehRec.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: 33	1652	EhTray.exe
Token: SeIncBasePriorityPrivilege	1652	EhTray.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeDebugPrivilege	1844	ehRec.exe
Token: 33	1652	EhTray.exe
Token: SeIncBasePriorityPrivilege	1652	EhTray.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeRestorePrivilege	2440	msiexec.exe
Token: SeTakeOwnershipPrivilege	2440	msiexec.exe
Token: SeSecurityPrivilege	2440	msiexec.exe
Token: SeBackupPrivilege	2876	vssvc.exe
Token: SeRestorePrivilege	2876	vssvc.exe
Token: SeAuditPrivilege	2876	vssvc.exe
Token: SeBackupPrivilege	900	wbengine.exe
Token: SeRestorePrivilege	900	wbengine.exe
Token: SeSecurityPrivilege	900	wbengine.exe
Token: 33	608	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	608	wmpnetwk.exe
Token: SeManageVolumePrivilege	2916	SearchIndexer.exe
Token: 33	2916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2916	SearchIndexer.exe
Token: SeDebugPrivilege	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeDebugPrivilege	1916	alg.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe
Token: SeShutdownPrivilege	1280	mscorsvw.exe
Token: SeShutdownPrivilege	2020	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1652	EhTray.exe
1652	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1652	EhTray.exe
1652	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1064	SearchProtocolHost.exe
1064	SearchProtocolHost.exe
1064	SearchProtocolHost.exe
1064	SearchProtocolHost.exe
1064	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
2788	SearchProtocolHost.exe
1064	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 1192 wrote to memory of 1928	1192	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	30
PID 2020 wrote to memory of 608	2020	mscorsvw.exe	40
PID 2020 wrote to memory of 608	2020	mscorsvw.exe	40
PID 2020 wrote to memory of 608	2020	mscorsvw.exe	40
PID 2020 wrote to memory of 608	2020	mscorsvw.exe	40
PID 2020 wrote to memory of 1908	2020	mscorsvw.exe	42
PID 2020 wrote to memory of 1908	2020	mscorsvw.exe	42
PID 2020 wrote to memory of 1908	2020	mscorsvw.exe	42
PID 2020 wrote to memory of 1908	2020	mscorsvw.exe	42
PID 2020 wrote to memory of 1124	2020	mscorsvw.exe	43
PID 2020 wrote to memory of 1124	2020	mscorsvw.exe	43
PID 2020 wrote to memory of 1124	2020	mscorsvw.exe	43
PID 2020 wrote to memory of 1124	2020	mscorsvw.exe	43
PID 2020 wrote to memory of 1632	2020	mscorsvw.exe	44
PID 2020 wrote to memory of 1632	2020	mscorsvw.exe	44
PID 2020 wrote to memory of 1632	2020	mscorsvw.exe	44
PID 2020 wrote to memory of 1632	2020	mscorsvw.exe	44
PID 2020 wrote to memory of 2096	2020	mscorsvw.exe	45
PID 2020 wrote to memory of 2096	2020	mscorsvw.exe	45
PID 2020 wrote to memory of 2096	2020	mscorsvw.exe	45
PID 2020 wrote to memory of 2096	2020	mscorsvw.exe	45
PID 2020 wrote to memory of 2200	2020	mscorsvw.exe	46
PID 2020 wrote to memory of 2200	2020	mscorsvw.exe	46
PID 2020 wrote to memory of 2200	2020	mscorsvw.exe	46
PID 2020 wrote to memory of 2200	2020	mscorsvw.exe	46
PID 2020 wrote to memory of 2332	2020	mscorsvw.exe	47
PID 2020 wrote to memory of 2332	2020	mscorsvw.exe	47
PID 2020 wrote to memory of 2332	2020	mscorsvw.exe	47
PID 2020 wrote to memory of 2332	2020	mscorsvw.exe	47
PID 2020 wrote to memory of 2428	2020	mscorsvw.exe	48
PID 2020 wrote to memory of 2428	2020	mscorsvw.exe	48
PID 2020 wrote to memory of 2428	2020	mscorsvw.exe	48
PID 2020 wrote to memory of 2428	2020	mscorsvw.exe	48
PID 2020 wrote to memory of 2520	2020	mscorsvw.exe	49
PID 2020 wrote to memory of 2520	2020	mscorsvw.exe	49
PID 2020 wrote to memory of 2520	2020	mscorsvw.exe	49
PID 2020 wrote to memory of 2520	2020	mscorsvw.exe	49
PID 2020 wrote to memory of 2632	2020	mscorsvw.exe	50
PID 2020 wrote to memory of 2632	2020	mscorsvw.exe	50
PID 2020 wrote to memory of 2632	2020	mscorsvw.exe	50
PID 2020 wrote to memory of 2632	2020	mscorsvw.exe	50
PID 2020 wrote to memory of 2724	2020	mscorsvw.exe	51
PID 2020 wrote to memory of 2724	2020	mscorsvw.exe	51
PID 2020 wrote to memory of 2724	2020	mscorsvw.exe	51
PID 2020 wrote to memory of 2724	2020	mscorsvw.exe	51
PID 2020 wrote to memory of 2820	2020	mscorsvw.exe	52
PID 2020 wrote to memory of 2820	2020	mscorsvw.exe	52
PID 2020 wrote to memory of 2820	2020	mscorsvw.exe	52
PID 2020 wrote to memory of 2820	2020	mscorsvw.exe	52
PID 2020 wrote to memory of 2912	2020	mscorsvw.exe	53
PID 2020 wrote to memory of 2912	2020	mscorsvw.exe	53
PID 2020 wrote to memory of 2912	2020	mscorsvw.exe	53
PID 2020 wrote to memory of 2912	2020	mscorsvw.exe	53
PID 2020 wrote to memory of 3012	2020	mscorsvw.exe	54
PID 2020 wrote to memory of 3012	2020	mscorsvw.exe	54
PID 2020 wrote to memory of 3012	2020	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\1200-140-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1200-140-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1928

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1704

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 24c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 1d4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 238 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 238 -NGENProcess 1d0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 238 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 238 -NGENProcess 23c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 26c -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 26c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 284 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 280 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 240 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 298 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 274 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1e8 -NGENProcess 1f4 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 260 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1ec -NGENProcess 238 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 244 -NGENProcess 1f4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 258 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1f4 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1cc -NGENProcess 218 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 218 -NGENProcess 1dc -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1dc -NGENProcess 1f4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1f4 -NGENProcess 1ec -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1ec -NGENProcess 218 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 24c -NGENProcess 218 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 1dc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1dc -NGENProcess 1ec -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 274 -NGENProcess 218 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 218 -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 2a4 -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1ec -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1ec -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 218 -NGENProcess 2b8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 258 -NGENProcess 2a4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a4 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b8 -NGENProcess 258 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c8 -NGENProcess 1dc -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 1dc -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2d0 -NGENProcess 258 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 258 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 258 -NGENProcess 2d4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1dc -NGENProcess 2dc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 2e8 -NGENProcess 2f0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2c8 -NGENProcess 2fc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d4 -NGENProcess 2f0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f0 -NGENProcess 2f4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 2f0 -NGENProcess 1dc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 1cc -NGENProcess 2d4 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 314 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2c8 -NGENProcess 2d4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2c8 -NGENProcess 310 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c8 -NGENProcess 318 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2c8 -NGENProcess 2e8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2c8 -NGENProcess 308 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2c8 -NGENProcess 1dc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2fc -NGENProcess 308 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2fc -NGENProcess 2c8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 308 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 338 -NGENProcess 314 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2c8 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 33c -NGENProcess 338 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 168 -NGENProcess 16c -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 168 -NGENProcess 16c -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1964

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1276

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2464

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2480

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2916
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3499517378-2376672570-1134980332-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3499517378-2376672570-1134980332-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2120
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d6456cc2a352e74df1777b1b8d96658e

SHA1
a0fa2c13ad86e29b8a5fc4dc4aa11ef826aa4c9b

SHA256
87ffcaea375a4fe9e052047f3fcf2da3c1fbe32b397d5c8f7ca8ebbb54fd8d57

SHA512
22841d91980ae810f96a63534afcafa4ef583db8ccd4d9d4f5c7af305de74b157438ad66f1273c5515a10c9e301ffe2753e62968421862cf14bc2f4fb8c28592

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
974f4d37d2dfe9b2c0405f8087cc9141

SHA1
42fad37d0b2979f0294a4bfe1ba3585fb489c6c9

SHA256
0aba9782d7b5476321796717a179bcb6bf93849e1ce9b28b068aaf2b7d1695fc

SHA512
8d122fd4956188495ca42c22767fb82004687f32abb05de0e614a49f4b21ffb31e34406f478f84b5a579fbc6de859c3acce52df35b35de6d6962904074039f4e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
10fe23c9253390007ddafc12b91f54b7

SHA1
4de3b182aa5899cb51e042161572e96352821669

SHA256
3cbe54de357fa752ab341e1fb31450b243ce9c6b48689bfbc9001eb45eead76a

SHA512
b87169d9115265031e288405bc2fd1b67f5d843964a9a5656e26ad29c374cb23411150fa2ffc6307f31a5e3d72cd73a4fbad23f3bfc670fa5c86a02697357073

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
08923bf59141fd750aced542b30b1d85

SHA1
75cafac3bb7abd5dd3ef9b522679a3021933c651

SHA256
59b0e9c6ff842cd3e7fad4b3ec6ca6e22c103cdd4228af131271b804881b7189

SHA512
423a3e08f6ee5e05b02e16af47b043fe4cf54fac67d22ad9e073cfd4acaba437d09247940ea1462d2287c4540afe194f54ff763e7bb68f8df34d6a870e8994a8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
80d84fe39d47e18e5c6f5b2f28291b89

SHA1
296dd005d991d562eb2663f0291607c99df127fc

SHA256
5b7cd41ccf0a91b6fc29974aa46ae528164d1a00a859b2fda8d9e48ea5d85238

SHA512
8dad3a60fd57d68307e740b64ff2d9bb6815db04f419764e398143baf398d5d0450375a1f1cd5ea83fac24707b908e0c0665f96922d74342f34cfb5a2ee0611a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d29973db8cc9986b245bce0a21d3fa5b

SHA1
591fb6a0f026503992e830a354f44b4a9692a401

SHA256
cd6ea3a57abbed894ce5e6ce51f0132238e09fb13a624d17898a9e92323fdf6c

SHA512
9e7a605768eefaf8e254c2b26bc985becec0888d5403203bc8ae39220ac684e22d2b217eea0e5ab7a2588b7bf0ec73e4381239cbec50522f0ae3cbcea97194d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
31f12ae65557720e95d7269b10f41244

SHA1
0ac9050ed03e28ad2f468baa50738ad4f3a559f4

SHA256
90328edec337ab1f838d06216c2e45fbb9fb17d8ee27128fb16f0a5e772358a4

SHA512
f69d07cfbd277172dc9fec07a78df756203d6f11deeecc9438cb71f67e0d30a7cd6782e12d01c3da49819ad24671641ef82453b448456b6f8a0287e28ab19d39

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
31f12ae65557720e95d7269b10f41244

SHA1
0ac9050ed03e28ad2f468baa50738ad4f3a559f4

SHA256
90328edec337ab1f838d06216c2e45fbb9fb17d8ee27128fb16f0a5e772358a4

SHA512
f69d07cfbd277172dc9fec07a78df756203d6f11deeecc9438cb71f67e0d30a7cd6782e12d01c3da49819ad24671641ef82453b448456b6f8a0287e28ab19d39

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
cb500a3236aeb35ad8cffbde6c98b55c

SHA1
ceb5e91605d8a219323f4caf3e8e25ec3e2f91fa

SHA256
772793fa048eb7ae28ebfeb277baedfc58ef38d8449f67f754caef8c54e67f89

SHA512
b0ac54cd82f0d54b3312b0ea659873b807d54bb0974ba43fb73bb8e84baf701153f307509c2c7c5bc8a599d1b6ea1bf2fd76a75e177ec6b916e4e876f72eaced

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
1abb5042bf81e0f862368c25c3af5a33

SHA1
b8d7cd40bb5dea4b7a2b05b7a21969718e509da1

SHA256
552b43521d113d0c35f9cbcdf33aca40c9aabbc4649787e180752d49084db332

SHA512
457c1d4de19c75422830ed7233b75b3b642f177f59f1c7435610477494c47f5997de07d63d9391d033fb8c3550142b27ef8f99c3bc46f5eb302647acdceaf336

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
574df231fdee0b1702e6342bbcb0e343

SHA1
e0bc0b9210ec076091830e234be95e175aeed5f4

SHA256
4f78dadfb243485cb7a2ae47cd77cebaa92852c84ebd62ee3265557173361465

SHA512
19b973eb9d493959d7cebbf5fc8de71612653c8b23fd6adb534ef242b1f0d90f2c8f319d353dc8ca6a04365d5bb85c97924d3eaa09926fc3ad01f179d2e92b47

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
574df231fdee0b1702e6342bbcb0e343

SHA1
e0bc0b9210ec076091830e234be95e175aeed5f4

SHA256
4f78dadfb243485cb7a2ae47cd77cebaa92852c84ebd62ee3265557173361465

SHA512
19b973eb9d493959d7cebbf5fc8de71612653c8b23fd6adb534ef242b1f0d90f2c8f319d353dc8ca6a04365d5bb85c97924d3eaa09926fc3ad01f179d2e92b47

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
574df231fdee0b1702e6342bbcb0e343

SHA1
e0bc0b9210ec076091830e234be95e175aeed5f4

SHA256
4f78dadfb243485cb7a2ae47cd77cebaa92852c84ebd62ee3265557173361465

SHA512
19b973eb9d493959d7cebbf5fc8de71612653c8b23fd6adb534ef242b1f0d90f2c8f319d353dc8ca6a04365d5bb85c97924d3eaa09926fc3ad01f179d2e92b47

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
574df231fdee0b1702e6342bbcb0e343

SHA1
e0bc0b9210ec076091830e234be95e175aeed5f4

SHA256
4f78dadfb243485cb7a2ae47cd77cebaa92852c84ebd62ee3265557173361465

SHA512
19b973eb9d493959d7cebbf5fc8de71612653c8b23fd6adb534ef242b1f0d90f2c8f319d353dc8ca6a04365d5bb85c97924d3eaa09926fc3ad01f179d2e92b47

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c2895703ce0a0ef37990421a5154cd27

SHA1
4ad66621fd1b3b4d38d20def30e04299128a6652

SHA256
0db081a0ba60fdd73a96faa3ada16cea14513514ef28b49d6b2e19bb0f613ab7

SHA512
e1adccbc4099e9997e9720ab75f0950d76d357709c2fd90862b907c9a3d99d43198c7fae7051040ef0bf1843040cbce23a21630efd9fc2182285db5142774602

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c2895703ce0a0ef37990421a5154cd27

SHA1
4ad66621fd1b3b4d38d20def30e04299128a6652

SHA256
0db081a0ba60fdd73a96faa3ada16cea14513514ef28b49d6b2e19bb0f613ab7

SHA512
e1adccbc4099e9997e9720ab75f0950d76d357709c2fd90862b907c9a3d99d43198c7fae7051040ef0bf1843040cbce23a21630efd9fc2182285db5142774602

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
d8fb6abd7acd395502f229e2022b8f89

SHA1
87307081b83b5b207a891f1f6fe5e735cecc15db

SHA256
fe8def4f7c3da8ac52d14a052c200cb266d6d0e433cf04cb67eef6af838d1a9e

SHA512
2cd17d08d17b445716d2b9b00b3405dee29b31013ea5c2eb1725bc22e784d2e7dede72f4bdfbd5546f0e5771c3a5a5c521c0e962489b935b54ac24c1d9250658

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
3cc5c0e8dbcc4d001d13a4995a358d99

SHA1
242ab7e8ecd4b9858654a772704a0dfbe63630e3

SHA256
fe6643762cca457b10e70d883306e01fea43d2b81131ab0e6da88a40d0ec0ccf

SHA512
3f8633fc8d1f82b0863f97f7797c7ba4c6328e510619fe08b35b666a2d2ebfbc0480bc9fc16e350ef3e3c01146147317f22277ffc1b27f63c57138503e470364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
814ebf3268ede7a6fa823b9664620cc5

SHA1
241f9693b09bba31808807faebcf2b8f93255ed0

SHA256
f7470bcc24f79709c826e605e586345a02bae54534917757164c2d54c88ec823

SHA512
3c59c16919efc3e08a55d28117d1aa83225e7c7dd437681dc9cb64f502d7a65e572d7e5f810b82053ca5f24379764547cf061e3bca4ddc4b2ba86bcb6aaf7365

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fc2fc430d4766403e01fe063195eadb8

SHA1
b8111b4be1180256b1e3b38e046c6e51c727ba56

SHA256
521e8b589d27946265a2cb301425e098a5a2939eb06274351c61115e8bfd84b7

SHA512
5f92a254c2500819d592b77b1abc475aa412dc6e8d08449bb7d9bf2c33ad2ee0ec1698dfe3f97592c02838e3d066d048e5e20bf853d139fd1fddd32c4f9224b5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d7d3418471e8c1bcb4ae319a52ab56fa

SHA1
3cfb29e2248f0a1910f923a03661dae47b8b9d28

SHA256
88e7f2861f0fb310364877a0909e02fa5d4e0c378259091452a09d75d3dff20b

SHA512
3113ee848150fe45a79f92fea56574821d92d660d0f5440bcad3a021fa7daf1e869d82e6450a47382bb6f7399f20e20cdd904228ef68aa633e423d3e506a191a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bd73c69f72bdf898ba686880c5718ba4

SHA1
58eff14c17621fbd19ecb0ca448172792f96968a

SHA256
a67f6964a099f8ebe1ca9c65e0a6ede9c68588c3bc5a2a60d477ac04d039067d

SHA512
e84267703b90a3ae95fb17cc65c56ce37fb4a5622917852a1fce1af35a00c9d32a1240fd0df4e1f69a7a09ff520ea054881563722c9183cc900e72b59e5a2970

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
42e949b12f00cee32f4c55343182d671

SHA1
7d2f5498b98d6420c20a891f6b4ff5a71261a911

SHA256
06e0b9a42e32877d960dae1a927011ec6428eaf2b0b08e188380d4500c12a431

SHA512
91aaa9614e951eb4ae746dda5b53cf00642cb60ee665d07819da657aa5f4323f2084f3970a4c2bdafdc664138b9dae78f2d251374ad653edf26f6cffcb1ba166

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
ee1e2d4292a2379753ecb71e3f4afb5e

SHA1
f816b8d38769436a12f82fec682ec53177bebe97

SHA256
9fd1fbfd862655f59d29dcf6f56980746e61d513a9d03d32b13a43b4443f3f68

SHA512
4c1f938217cbc54dba043eae46a58a30538d6129328118d5146231e23f9d1a52bd25121317326006b9f72342778d6da8ef1c5824bb6bd95b6ab61e3bbae52030

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e4544ba02203eff20edef8de945c81bb

SHA1
35930b2feaefe97cb45943926abd0006dc461f2c

SHA256
dfff8406484c95b3ae307dd42c0971f03a14cb728cfbe1d46ca0653eeb781e3f

SHA512
caa93bc9dbd77c772d32e5f85c99c8a978f647d5b66eeb3aaa514a3d04bdbcf8c3f0a77257acdea14195ba6369e49ca3b723955940e5b924f6dd431ee455804e

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
559323489a0f15e2554e3a5f87c63211

SHA1
f0c5bce532d9caf123b2b062a22ecf34c8dd9d0e

SHA256
3d457a554ca528f44bab5c21c11182bb04d2b323072e16bebac6fbdd5648e8e9

SHA512
ed2934797b4f5804603d1504fc60709930c7d70c25f86d409fe9fb4340fa1ecb12d37987e238fda64d95f06a946ce643f9561eec406d08256ec11011eb7db942

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bf1f5e8f5876124a23b0ca616f8a1c1f

SHA1
b2e0d7fec95c8d5d09b5ab4342c7da5bbc3d8477

SHA256
92b3ea2d3d33cd5b253c7cd2e1bcbae852ad338bb548467c23e21472eba1f2e0

SHA512
2b1f3e19eddea292600a4bd009c6bd12e51e355f463eb3d8fa226a42a8b0bcdc07a53d90d85a10cac4b97afc3ac710ec52f8027531f583142cd69742801e56fd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
96b713da3e579dbb5e578485fa4fe885

SHA1
8743c6c30764546fe70fef2dd77c7b7d5f3e72e9

SHA256
98750729b4eeb08c9a7e7ddb523de0b5489fd45f9209a21b7ecfa2b7336f8b0d

SHA512
ae3d2a80ab21db6dcfa76586229e0560cf25da2f060091837da938d448de7e9ec18c0de28c49296777d06649d065d26a4c437b66bdadc6359edddac1a1c24e5f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2c2d93b09e5536aaebbce68468094099\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
bb937b56aefdf991e728da25c9a4b55c

SHA1
dd003b456f5763ba837d31f3e129f66847b30f24

SHA256
6b55856f5daa2ce63ff59994df8fd74326165bb621306281b60ec29806eba3d3

SHA512
8fb1fbd937528329af496be5dee4606fb030ea1e4007c77842f41fefc825357f81df0a2b584058214b378611edd2739acda64ba80612da8a1ea016923d12bfc3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\598573705b971e8d7520b273d1e329b3\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
77dc7708da831d574b968718ef3987ec

SHA1
7b72783632e52b133e5d80fda463125cca4c34cb

SHA256
ad3e3d086e67ef99b304d144f3e4433a8bbca4ebe43ed8dcad7594b5105f9961

SHA512
3a87d9ca32d4d4baea5619af9ae041494dc1792a0091056ddbcaf62db379d05b275134906a344b3c04df4bc6db9e2b97991770ed457f74651e80c3a453e5643c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fd3fea0a8956b57bef5d2d2a529304f3\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
1fd6dbefaaf839ebb5a84bfbf32a7567

SHA1
ad1cb337549e21d970d4073b9f237474a358ed16

SHA256
0a0e836d91bed2808d5c6db1b87bcb0f30ef018ddcd3042da180b67d2cd3026d

SHA512
c7585eb591cda7519d03fc4f30f01cf4e60bb3dded0488726382a7a9883f07e4f88ecc0ac69bc8f9fddf5e18941c4a1b4870b6455261fb536030464ad5c7437b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
7aa787478b00e50e07155e36caf13d48

SHA1
b2eba0296b3078f324935de65b574ef44f99deec

SHA256
4f39208514ea53b430e80bdd3c694c271d6b7f1d0490ecc63e6a65c8c3a768a4

SHA512
418a6cc73ba4c7acc13c1cceccb971618cf121f523ec3e517d4b7db3ec3d05ad887db8aa8e82674c2821a777c9d146b2f4d7358fb20dc1823927578bd14f446c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fa59a641f817a7bcc4dc152edfa907c4

SHA1
0980c62fb184f7378efd06e17acde4cb0a4f1a24

SHA256
20adbe7858ebcd7bf79639dbe8125d5261ee54dd6391b74c620a1386216ec343

SHA512
7f0f846486a1d9766f9f68b8c50a31c15c403a36166ad2bd61d663321d83d47094252ff684db3b140bbe8ddb81d00862123bec8110a038fc1ef5275b1748d8cc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
559323489a0f15e2554e3a5f87c63211

SHA1
f0c5bce532d9caf123b2b062a22ecf34c8dd9d0e

SHA256
3d457a554ca528f44bab5c21c11182bb04d2b323072e16bebac6fbdd5648e8e9

SHA512
ed2934797b4f5804603d1504fc60709930c7d70c25f86d409fe9fb4340fa1ecb12d37987e238fda64d95f06a946ce643f9561eec406d08256ec11011eb7db942

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
31f12ae65557720e95d7269b10f41244

SHA1
0ac9050ed03e28ad2f468baa50738ad4f3a559f4

SHA256
90328edec337ab1f838d06216c2e45fbb9fb17d8ee27128fb16f0a5e772358a4

SHA512
f69d07cfbd277172dc9fec07a78df756203d6f11deeecc9438cb71f67e0d30a7cd6782e12d01c3da49819ad24671641ef82453b448456b6f8a0287e28ab19d39

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
1abb5042bf81e0f862368c25c3af5a33

SHA1
b8d7cd40bb5dea4b7a2b05b7a21969718e509da1

SHA256
552b43521d113d0c35f9cbcdf33aca40c9aabbc4649787e180752d49084db332

SHA512
457c1d4de19c75422830ed7233b75b3b642f177f59f1c7435610477494c47f5997de07d63d9391d033fb8c3550142b27ef8f99c3bc46f5eb302647acdceaf336

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d7d3418471e8c1bcb4ae319a52ab56fa

SHA1
3cfb29e2248f0a1910f923a03661dae47b8b9d28

SHA256
88e7f2861f0fb310364877a0909e02fa5d4e0c378259091452a09d75d3dff20b

SHA512
3113ee848150fe45a79f92fea56574821d92d660d0f5440bcad3a021fa7daf1e869d82e6450a47382bb6f7399f20e20cdd904228ef68aa633e423d3e506a191a

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bd73c69f72bdf898ba686880c5718ba4

SHA1
58eff14c17621fbd19ecb0ca448172792f96968a

SHA256
a67f6964a099f8ebe1ca9c65e0a6ede9c68588c3bc5a2a60d477ac04d039067d

SHA512
e84267703b90a3ae95fb17cc65c56ce37fb4a5622917852a1fce1af35a00c9d32a1240fd0df4e1f69a7a09ff520ea054881563722c9183cc900e72b59e5a2970

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
42e949b12f00cee32f4c55343182d671

SHA1
7d2f5498b98d6420c20a891f6b4ff5a71261a911

SHA256
06e0b9a42e32877d960dae1a927011ec6428eaf2b0b08e188380d4500c12a431

SHA512
91aaa9614e951eb4ae746dda5b53cf00642cb60ee665d07819da657aa5f4323f2084f3970a4c2bdafdc664138b9dae78f2d251374ad653edf26f6cffcb1ba166

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
ee1e2d4292a2379753ecb71e3f4afb5e

SHA1
f816b8d38769436a12f82fec682ec53177bebe97

SHA256
9fd1fbfd862655f59d29dcf6f56980746e61d513a9d03d32b13a43b4443f3f68

SHA512
4c1f938217cbc54dba043eae46a58a30538d6129328118d5146231e23f9d1a52bd25121317326006b9f72342778d6da8ef1c5824bb6bd95b6ab61e3bbae52030

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e4544ba02203eff20edef8de945c81bb

SHA1
35930b2feaefe97cb45943926abd0006dc461f2c

SHA256
dfff8406484c95b3ae307dd42c0971f03a14cb728cfbe1d46ca0653eeb781e3f

SHA512
caa93bc9dbd77c772d32e5f85c99c8a978f647d5b66eeb3aaa514a3d04bdbcf8c3f0a77257acdea14195ba6369e49ca3b723955940e5b924f6dd431ee455804e

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
559323489a0f15e2554e3a5f87c63211

SHA1
f0c5bce532d9caf123b2b062a22ecf34c8dd9d0e

SHA256
3d457a554ca528f44bab5c21c11182bb04d2b323072e16bebac6fbdd5648e8e9

SHA512
ed2934797b4f5804603d1504fc60709930c7d70c25f86d409fe9fb4340fa1ecb12d37987e238fda64d95f06a946ce643f9561eec406d08256ec11011eb7db942

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
559323489a0f15e2554e3a5f87c63211

SHA1
f0c5bce532d9caf123b2b062a22ecf34c8dd9d0e

SHA256
3d457a554ca528f44bab5c21c11182bb04d2b323072e16bebac6fbdd5648e8e9

SHA512
ed2934797b4f5804603d1504fc60709930c7d70c25f86d409fe9fb4340fa1ecb12d37987e238fda64d95f06a946ce643f9561eec406d08256ec11011eb7db942

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bf1f5e8f5876124a23b0ca616f8a1c1f

SHA1
b2e0d7fec95c8d5d09b5ab4342c7da5bbc3d8477

SHA256
92b3ea2d3d33cd5b253c7cd2e1bcbae852ad338bb548467c23e21472eba1f2e0

SHA512
2b1f3e19eddea292600a4bd009c6bd12e51e355f463eb3d8fa226a42a8b0bcdc07a53d90d85a10cac4b97afc3ac710ec52f8027531f583142cd69742801e56fd

Download Submit
\Windows\System32\vds.exe

Filesize
1.7MB

MD5
96b713da3e579dbb5e578485fa4fe885

SHA1
8743c6c30764546fe70fef2dd77c7b7d5f3e72e9

SHA256
98750729b4eeb08c9a7e7ddb523de0b5489fd45f9209a21b7ecfa2b7336f8b0d

SHA512
ae3d2a80ab21db6dcfa76586229e0560cf25da2f060091837da938d448de7e9ec18c0de28c49296777d06649d065d26a4c437b66bdadc6359edddac1a1c24e5f

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
7aa787478b00e50e07155e36caf13d48

SHA1
b2eba0296b3078f324935de65b574ef44f99deec

SHA256
4f39208514ea53b430e80bdd3c694c271d6b7f1d0490ecc63e6a65c8c3a768a4

SHA512
418a6cc73ba4c7acc13c1cceccb971618cf121f523ec3e517d4b7db3ec3d05ad887db8aa8e82674c2821a777c9d146b2f4d7358fb20dc1823927578bd14f446c

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
fa59a641f817a7bcc4dc152edfa907c4

SHA1
0980c62fb184f7378efd06e17acde4cb0a4f1a24

SHA256
20adbe7858ebcd7bf79639dbe8125d5261ee54dd6391b74c620a1386216ec343

SHA512
7f0f846486a1d9766f9f68b8c50a31c15c403a36166ad2bd61d663321d83d47094252ff684db3b140bbe8ddb81d00862123bec8110a038fc1ef5275b1748d8cc

Download Submit
memory/316-103-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/528-359-0x0000000003D40000-0x0000000003DFA000-memory.dmp

Filesize
744KB

Download
memory/528-358-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/528-372-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/596-98-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/608-177-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/608-193-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/608-181-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1124-220-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1124-198-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1192-287-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1192-59-0x0000000002660000-0x00000000026C6000-memory.dmp

Filesize
408KB

Download
memory/1192-54-0x0000000002660000-0x00000000026C6000-memory.dmp

Filesize
408KB

Download
memory/1192-76-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1276-179-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1276-143-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/1276-356-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1276-137-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/1276-160-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1276-159-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1276-158-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1280-126-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1632-232-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1704-99-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/1712-154-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1712-148-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1712-487-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1712-155-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1712-355-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1756-166-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1756-180-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1756-373-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1764-478-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1764-483-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1844-244-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1844-182-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1844-209-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1908-184-0x00000000006D0000-0x0000000000736000-memory.dmp

Filesize
408KB

Download
memory/1908-200-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1916-67-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1916-73-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1916-77-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1916-288-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1928-82-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1928-88-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1928-86-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1928-84-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1928-83-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1928-123-0x0000000000BF0000-0x0000000000CAC000-memory.dmp

Filesize
752KB

Download
memory/1928-127-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download
memory/1936-493-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1964-157-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2020-125-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2020-114-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2020-109-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2072-374-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2072-385-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2092-514-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2096-242-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2096-230-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2200-264-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2200-245-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2212-523-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2264-415-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2312-391-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2332-275-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2352-526-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2368-397-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2368-408-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2428-286-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2516-441-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2520-300-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2520-289-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2588-430-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2632-312-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2724-311-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2724-323-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2748-453-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2748-442-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2820-329-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2836-456-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2896-477-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2912-346-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3012-357-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download