ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
22-11-2023 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
Size

1.8MB
MD5

08d37299a1c64453881f58aab76c4ea9
SHA1

43f3db9eb93cc025eae9029c22d813e6ed03d877
SHA256

ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d
SHA512

d3ea1d94339261fbc517a568df0149790b175b7e39745133b312b56eb12b1c06de04f449d3e069ca290e9119eb249dd20d6b2a668a32b7d2108c467bceedb492
SSDEEP

49152:xKJ0WR7AFPyyiSruXKpk3WFDL9zxnS6aIhzQvL2x4FYdd:xKlBAFPydSS6W6X9ln6v66Kd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2968	alg.exe
2372	aspnet_state.exe
1220	mscorsvw.exe
2068	mscorsvw.exe
1972	mscorsvw.exe
2000	mscorsvw.exe
2992	dllhost.exe
2388	ehRecvr.exe
1228	ehsched.exe
2696	elevation_service.exe
2604	GROOVE.EXE
2588	maintenanceservice.exe
1588	OSE.EXE
2760	mscorsvw.exe
772	OSPPSVC.EXE
2456	mscorsvw.exe
2240	mscorsvw.exe
2264	mscorsvw.exe
1804	mscorsvw.exe
2076	mscorsvw.exe
1688	mscorsvw.exe
1676	mscorsvw.exe
2688	mscorsvw.exe
1488	mscorsvw.exe
2756	mscorsvw.exe
1240	mscorsvw.exe
1412	mscorsvw.exe
2016	mscorsvw.exe
1432	mscorsvw.exe
2100	mscorsvw.exe
2576	mscorsvw.exe
1648	mscorsvw.exe
876	mscorsvw.exe
2840	mscorsvw.exe
988	mscorsvw.exe
2080	mscorsvw.exe
1792	mscorsvw.exe
1048	mscorsvw.exe
1412	mscorsvw.exe
1044	IEEtwCollector.exe
2760	msdtc.exe
2260	msiexec.exe
2732	perfhost.exe
2456	locator.exe
2172	snmptrap.exe
1752	vds.exe
1492	vssvc.exe
1804	wbengine.exe
1924	WmiApSrv.exe
1056	wmpnetwk.exe
1596	SearchIndexer.exe
1688	mscorsvw.exe
1992	mscorsvw.exe
908	mscorsvw.exe
2284	mscorsvw.exe
2712	mscorsvw.exe
1736	mscorsvw.exe
1688	mscorsvw.exe
2812	mscorsvw.exe
1768	mscorsvw.exe
2116	mscorsvw.exe
2356	mscorsvw.exe
1612	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2260	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
764	Process not Found
2712	mscorsvw.exe
2712	mscorsvw.exe
1688	mscorsvw.exe
1688	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
2356	mscorsvw.exe
2356	mscorsvw.exe
2388	mscorsvw.exe
2388	mscorsvw.exe
2608	mscorsvw.exe
2608	mscorsvw.exe
2544	mscorsvw.exe
2544	mscorsvw.exe
112	mscorsvw.exe
112	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe
1452	mscorsvw.exe
1452	mscorsvw.exe
1176	mscorsvw.exe
1176	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
2096	mscorsvw.exe
2096	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
1488	mscorsvw.exe
1488	mscorsvw.exe
2944	mscorsvw.exe
2944	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
1608	mscorsvw.exe
1608	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6179e4b354788660.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\goopdateres_ro.dll	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\goopdateres_da.dll	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\GoogleUpdate.exe	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\goopdateres_hu.dll	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\goopdateres_ms.dll	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\goopdateres_el.dll	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\goopdateres_bn.dll	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\psmachine_64.dll	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2EAE.tmp\goopdateres_en-GB.dll	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BA2.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFBAD.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23C6.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4CC9.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A90.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3340.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090d7a628571dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090edcc28571dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9E84C845-BB9A-4CA4-B753-FFCECE138FF7}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 01000000000000005092e226571dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3044	ehRec.exe
2372	aspnet_state.exe
2372	aspnet_state.exe
2372	aspnet_state.exe
2372	aspnet_state.exe
2372	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2952	ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: 33	2056	EhTray.exe
Token: SeIncBasePriorityPrivilege	2056	EhTray.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeDebugPrivilege	3044	ehRec.exe
Token: 33	2056	EhTray.exe
Token: SeIncBasePriorityPrivilege	2056	EhTray.exe
Token: SeDebugPrivilege	2968	alg.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2372	aspnet_state.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeSecurityPrivilege	2260	msiexec.exe
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe
Token: SeBackupPrivilege	1804	wbengine.exe
Token: SeRestorePrivilege	1804	wbengine.exe
Token: SeSecurityPrivilege	1804	wbengine.exe
Token: SeDebugPrivilege	2372	aspnet_state.exe
Token: 33	1056	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1056	wmpnetwk.exe
Token: SeManageVolumePrivilege	1596	SearchIndexer.exe
Token: 33	1596	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1596	SearchIndexer.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1972	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2056	EhTray.exe
2056	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2056	EhTray.exe
2056	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
2264	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2760	1972	mscorsvw.exe	43
PID 1972 wrote to memory of 2760	1972	mscorsvw.exe	43
PID 1972 wrote to memory of 2760	1972	mscorsvw.exe	43
PID 1972 wrote to memory of 2760	1972	mscorsvw.exe	43
PID 1972 wrote to memory of 2456	1972	mscorsvw.exe	45
PID 1972 wrote to memory of 2456	1972	mscorsvw.exe	45
PID 1972 wrote to memory of 2456	1972	mscorsvw.exe	45
PID 1972 wrote to memory of 2456	1972	mscorsvw.exe	45
PID 1972 wrote to memory of 2240	1972	mscorsvw.exe	46
PID 1972 wrote to memory of 2240	1972	mscorsvw.exe	46
PID 1972 wrote to memory of 2240	1972	mscorsvw.exe	46
PID 1972 wrote to memory of 2240	1972	mscorsvw.exe	46
PID 1972 wrote to memory of 2264	1972	mscorsvw.exe	47
PID 1972 wrote to memory of 2264	1972	mscorsvw.exe	47
PID 1972 wrote to memory of 2264	1972	mscorsvw.exe	47
PID 1972 wrote to memory of 2264	1972	mscorsvw.exe	47
PID 1972 wrote to memory of 1804	1972	mscorsvw.exe	48
PID 1972 wrote to memory of 1804	1972	mscorsvw.exe	48
PID 1972 wrote to memory of 1804	1972	mscorsvw.exe	48
PID 1972 wrote to memory of 1804	1972	mscorsvw.exe	48
PID 1972 wrote to memory of 2076	1972	mscorsvw.exe	49
PID 1972 wrote to memory of 2076	1972	mscorsvw.exe	49
PID 1972 wrote to memory of 2076	1972	mscorsvw.exe	49
PID 1972 wrote to memory of 2076	1972	mscorsvw.exe	49
PID 1972 wrote to memory of 1688	1972	mscorsvw.exe	50
PID 1972 wrote to memory of 1688	1972	mscorsvw.exe	50
PID 1972 wrote to memory of 1688	1972	mscorsvw.exe	50
PID 1972 wrote to memory of 1688	1972	mscorsvw.exe	50
PID 1972 wrote to memory of 1676	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 1676	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 1676	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 1676	1972	mscorsvw.exe	51
PID 1972 wrote to memory of 2688	1972	mscorsvw.exe	52
PID 1972 wrote to memory of 2688	1972	mscorsvw.exe	52
PID 1972 wrote to memory of 2688	1972	mscorsvw.exe	52
PID 1972 wrote to memory of 2688	1972	mscorsvw.exe	52
PID 1972 wrote to memory of 1488	1972	mscorsvw.exe	53
PID 1972 wrote to memory of 1488	1972	mscorsvw.exe	53
PID 1972 wrote to memory of 1488	1972	mscorsvw.exe	53
PID 1972 wrote to memory of 1488	1972	mscorsvw.exe	53
PID 1972 wrote to memory of 2756	1972	mscorsvw.exe	54
PID 1972 wrote to memory of 2756	1972	mscorsvw.exe	54
PID 1972 wrote to memory of 2756	1972	mscorsvw.exe	54
PID 1972 wrote to memory of 2756	1972	mscorsvw.exe	54
PID 1972 wrote to memory of 1240	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1240	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1240	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1240	1972	mscorsvw.exe	55
PID 1972 wrote to memory of 1412	1972	mscorsvw.exe	56
PID 1972 wrote to memory of 1412	1972	mscorsvw.exe	56
PID 1972 wrote to memory of 1412	1972	mscorsvw.exe	56
PID 1972 wrote to memory of 1412	1972	mscorsvw.exe	56
PID 1972 wrote to memory of 2016	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 2016	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 2016	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 2016	1972	mscorsvw.exe	57
PID 1972 wrote to memory of 1432	1972	mscorsvw.exe	58
PID 1972 wrote to memory of 1432	1972	mscorsvw.exe	58
PID 1972 wrote to memory of 1432	1972	mscorsvw.exe	58
PID 1972 wrote to memory of 1432	1972	mscorsvw.exe	58
PID 1972 wrote to memory of 2100	1972	mscorsvw.exe	59
PID 1972 wrote to memory of 2100	1972	mscorsvw.exe	59
PID 1972 wrote to memory of 2100	1972	mscorsvw.exe	59
PID 1972 wrote to memory of 2100	1972	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe
"C:\Users\Admin\AppData\Local\Temp\ccfa65d05053c39b33b03968a1b80582d22ed6c3610cf08f5eb02c639042bf0d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1220

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 1d4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 1d4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 1f0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 268 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 268 -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 24c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 290 -NGENProcess 260 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 244 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2ac -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 27c -NGENProcess 294 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 1e8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 21c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 240 -NGENProcess 1e8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1e8 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 21c -NGENProcess 298 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 298 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d0 -NGENProcess 2a8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 21c -NGENProcess 290 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 2ac -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 2a4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d4 -NGENProcess 24c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2a8 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 24c -NGENProcess 2b8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 260 -NGENProcess 2bc -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 1d4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b4 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d0 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d8 -NGENProcess 268 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2a8 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2dc -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 260 -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2c0 -NGENProcess 2e8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 244 -NGENProcess 2e4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 11c -NGENProcess 2f0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2b4 -NGENProcess 268 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2dc -NGENProcess 2a8 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 2a8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 268 -NGENProcess 2a8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ec -NGENProcess 300 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2fc -NGENProcess 304 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2a8 -NGENProcess 308 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 244 -NGENProcess 304 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 310 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 310 -NGENProcess 2fc -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 318 -NGENProcess 244 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 310 -NGENProcess 2ec -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 324 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 328 -NGENProcess 2ec -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 328 -NGENProcess 2f4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 318 -NGENProcess 330 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2ec -NGENProcess 334 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 338 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 31c -NGENProcess 32c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 32c -NGENProcess 2f4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 32c -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 348 -NGENProcess 2f4 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 334 -NGENProcess 34c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 34c -NGENProcess 344 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 340 -NGENProcess 354 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 328 -NGENProcess 2fc -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 344 -NGENProcess 364 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 35c -NGENProcess 31c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:3060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2388

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2588

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1588

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1861898231-3446828954-4278112889-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1861898231-3446828954-4278112889-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1160
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
c6ce80924ada60929e23d8d83273ede1

SHA1
7aed82ba07f5f336c15bf764641480f6d9d78dd6

SHA256
4877afcd9454df2a1cc4cf77d918378c057bda81e8120e1a56dab6f33f37b86e

SHA512
1fcc82d8693de3d3f20d2bb90c6064fc74edda4041e0bf35e55196c25091e5bc69fd7862b1e3714aa7e5085407f962a48ab32cfbbc7290f24a235961c0393076

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
fcc55417d28c7b2c85a18fbf8fec20a9

SHA1
d29fe8aca3f907218369a5c615ad81a3d0fba2a5

SHA256
466c2d1ff7f8d0f0a06857a671c98d32a13d5912d85aa54d2ccf1d6006467496

SHA512
e4b2875f0ee1c92b7b293e848d5911e30ddf8fe482fdef0b2e027828f56cf823cde9b5367a7176263ec116b78bdf5b9c0c5882ace36c518e800703fb2b1223d3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
11d3fae9e1cb96bd660e723c24ef6733

SHA1
dacc925531c0efdc6268fb1a429ff81b80f450c8

SHA256
9edd5716e3c31fcd446f46cf974611d634b2be5d9efb107fab2ec2f630523bb8

SHA512
ec609cd473ce520e90e646929ce93f4a9208b0e6a97c77322ff9533e32b068d62c60b3589823d80ba5d80fceb6a6e8effd91cb61e19ce6c1bb745a8e9538e423

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
11d3fae9e1cb96bd660e723c24ef6733

SHA1
dacc925531c0efdc6268fb1a429ff81b80f450c8

SHA256
9edd5716e3c31fcd446f46cf974611d634b2be5d9efb107fab2ec2f630523bb8

SHA512
ec609cd473ce520e90e646929ce93f4a9208b0e6a97c77322ff9533e32b068d62c60b3589823d80ba5d80fceb6a6e8effd91cb61e19ce6c1bb745a8e9538e423

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
3911311446abba3b52bac5cb2fb0bc95

SHA1
e4594526f0d0eb4b1ccc410776b14a6c6169dc7e

SHA256
44cd2587b13b28d862fc4821493e45a236f32653892346b703f5e9b706beed77

SHA512
b0ac667204463a372b4a2d4aec36b9689f91f21b08366d2c7a8d747ecc04d7eee2e8867fd707fb5989c99007ff075e83e2981697f524dd486b25f2e6f7745820

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5fb63f4d1f3261d57c7d66f58182e7ab

SHA1
6023f88e6e50ff1563aa56f09ccbfb8ba8ec49a4

SHA256
e6de2e95027962784bd9a514bae25c1283317864451b9a14cd0f2c608dae9053

SHA512
4c8983e6708df51405c192fa1f1e2fa4f1b167142cbd1ac60c2b826b5507f45d2e334f3d97429cbd5c075024414d3cad588a0ffd58389346219076674b1f8d76

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c9837ce57460ce141c41730dffac3d12

SHA1
6fe593a7aed54a944681945edbf0f08165217c0c

SHA256
4f0df43953e35f5231820f9fbf89d8129a2435ce940b3af52189b0cc4a6d80bc

SHA512
ebb9d91dbbcf5fe8ee4230eb2ac4c71206e2d5d3687a5ee5ce808133a3530e6f35436fea809da108b8d1e305c3fdbb69cc18cdb223260c22e9a634df44f56e1e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
40d974dc9adbafad0c90e47c4a3ba6df

SHA1
a1fc3d6b3fdc7ad20a323591f72e4caf78de6d85

SHA256
1f24327bfda7d61ea3066679beead3372a6bb6898273b1ce79ab724988f10557

SHA512
d510c201c955118883dabd5ab8868cd5e82fedcd4628c22baa3b24bbd988be15e77bb403fe5acf306171ad2601289d8f181ba13b7da95377de821c832fd6ca8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
79c984155f6876b1a558bb5246f2876d

SHA1
bd8634f8947ef0481c04f05d61fdf1f889b88c7e

SHA256
e8b144b1cbc9941595623a1dea9781da28787b3ee4c8f948b67039863f3b819f

SHA512
cb29483ea72fed03ac92a7fc906f79870a33fe4bc54efce69c7579d8f890fa291404a2933ece34b18ff879652d35ff757aed464f9282ab1d4d2d7eacbf608902

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
79c984155f6876b1a558bb5246f2876d

SHA1
bd8634f8947ef0481c04f05d61fdf1f889b88c7e

SHA256
e8b144b1cbc9941595623a1dea9781da28787b3ee4c8f948b67039863f3b819f

SHA512
cb29483ea72fed03ac92a7fc906f79870a33fe4bc54efce69c7579d8f890fa291404a2933ece34b18ff879652d35ff757aed464f9282ab1d4d2d7eacbf608902

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9c3e0010f23bf8088f25c5085eab88ab

SHA1
89361bcad9b9f937f6f5aae89d933df7156ad906

SHA256
9b9c0eb04c7a560f6f071845bbc386e57869ed11ebb3c35a16242993c76ebb27

SHA512
f75721965a503f3300421b07946dfc5a4d7716ee186f1d331cb9baa4e177a54622c3c0f4dd854f229d551336a35fd327fe24c85a6653b2f18826d7a2d7327387

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
3ba37c88b2d89abe9b26ed494e65a833

SHA1
8b8f2cb12db69de97a9e7f23e61d5ca1df0eef21

SHA256
01dee702bf9bd631f49049fe1787f1aa6d672ac2b09e2957d9641963a1f944eb

SHA512
652cc1ce4aa5245a89d8abc10c8f961af05dccd4a232eb9cbfac066697e01e337bef4cb92d56f4d8c1d8c99d14eecaf927860cf554aa540e06d98f9744456669

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
ad571bd668931285ee8eaf4b0d11ebc8

SHA1
05922739fc932d56c0df4a2be043428c5fb19287

SHA256
f8138ac3dd105058b3bbac1a0b48e3d4e0c178eb39cffe5aa1258bd250401ea7

SHA512
2a7b9d594e195562751538e11caf08f72cad7f587f70c3cf18576184514a27cdd3dc3739ed9b987ec3c91367a74a333591e828b98bc87716118f664716da8e91

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
ad571bd668931285ee8eaf4b0d11ebc8

SHA1
05922739fc932d56c0df4a2be043428c5fb19287

SHA256
f8138ac3dd105058b3bbac1a0b48e3d4e0c178eb39cffe5aa1258bd250401ea7

SHA512
2a7b9d594e195562751538e11caf08f72cad7f587f70c3cf18576184514a27cdd3dc3739ed9b987ec3c91367a74a333591e828b98bc87716118f664716da8e91

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
ad571bd668931285ee8eaf4b0d11ebc8

SHA1
05922739fc932d56c0df4a2be043428c5fb19287

SHA256
f8138ac3dd105058b3bbac1a0b48e3d4e0c178eb39cffe5aa1258bd250401ea7

SHA512
2a7b9d594e195562751538e11caf08f72cad7f587f70c3cf18576184514a27cdd3dc3739ed9b987ec3c91367a74a333591e828b98bc87716118f664716da8e91

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
ad571bd668931285ee8eaf4b0d11ebc8

SHA1
05922739fc932d56c0df4a2be043428c5fb19287

SHA256
f8138ac3dd105058b3bbac1a0b48e3d4e0c178eb39cffe5aa1258bd250401ea7

SHA512
2a7b9d594e195562751538e11caf08f72cad7f587f70c3cf18576184514a27cdd3dc3739ed9b987ec3c91367a74a333591e828b98bc87716118f664716da8e91

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
20ceeecad19ab78d0d78f2d0cdb50251

SHA1
67b204f08b808532e4fa9abaefa10128bbddb0fa

SHA256
cec3839a89feffab249a24cd00f315e09fd6230dab7199a4d0c8ff56dbd49aaf

SHA512
2b0bf368f2ab9f23fd615f7dda68b83119855f5c4bf8cb6d0194d08ff19a7f69e04be3f74f4ec7dcd1c29d137a0decdfb8957b2a22279a77ca0cb0386a85fcf8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
20ceeecad19ab78d0d78f2d0cdb50251

SHA1
67b204f08b808532e4fa9abaefa10128bbddb0fa

SHA256
cec3839a89feffab249a24cd00f315e09fd6230dab7199a4d0c8ff56dbd49aaf

SHA512
2b0bf368f2ab9f23fd615f7dda68b83119855f5c4bf8cb6d0194d08ff19a7f69e04be3f74f4ec7dcd1c29d137a0decdfb8957b2a22279a77ca0cb0386a85fcf8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
470ab4078a87e665eeea6719a518e5b2

SHA1
2550f939e0e59a616e7eb5128203e6ee16ef31f0

SHA256
4c23c17adb075d3bb22b9de408d10dd79235f55b5911840447765f430659230e

SHA512
99407aa0a71a5c3fc9d24126298bf4195480d143a1e6c701d00ec1154c9b6196a281da981bfa9557929f6af5446bb7e0d854f3ef8ee2deb6819b0900d542d32d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
655281ae7d7475c00723abf022708ff4

SHA1
e321559a9ba1cf4855c9b3b8ace26d3bef2ea6b1

SHA256
e00ee4967934651a99c244eed82a4e634482539aa2422e169d08b55182550dce

SHA512
219accc5f645f0e9815e2e4247a163e7f18db2153041fe78e42465712e9887872b27d4a0183b06701f0a823f4d140cbd72ec1cf6188c84ea55924fb8e256b038

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
f273537bed60b52f6cad0fdb37245a54

SHA1
217e8a3bd0bd6c3c42d383e1f3e7eed8fe62752b

SHA256
11f4e3b0257d0122fc2e34db313d9dcc9e4b1b4276088428162a6cb094015c1c

SHA512
ba0a751f840e09a994eac2b2fcb37459afdf501c8dc8df4be503aa74eaf58748e1f8e05091d4cd7bfcfbc00b04209f84936c5d226c8dee7e8fddc78307f4b07a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
79b76470c1e857f9b02abe50f19c1216

SHA1
70141825a9c761653f5bf35132561a19460fa418

SHA256
068f8ceb30fe24e081a012850e92216f749c2b9989ee91d712ac4a85b4d2f57b

SHA512
e2693f2b59c3017a362c01a9da9993f40bea4cbee892aaf989f6d5d54e75743845d15bcc5faf4e0f57b7cb3db83d7ac0e9ade738d567a1c9473894a60c097202

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
0cc077fe6395931f97600bc5209ec386

SHA1
1241f5cc768f188bf6b3da4496b48a192f907ee1

SHA256
39a6b305470598e530dd17fcb6220dfdff5e57cda2bfde54df1d4eb9d73439d0

SHA512
b137efbb5740226fa095fb0d8232b3ae45f8bf0b704ba1d61c2bf4dccbdd0b044921be9a258400080115337464757d9ef3aa8d466691228c1573301bb14ed852

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
70f02f336f749ffbeea404a0e35e00b9

SHA1
3017a7dfe5f904df812078e71f9f7e348a9b6630

SHA256
ee1cd25b7637a7b3da880b1a98007694eef66bb648b89c2007b4245cf97a2e95

SHA512
a1459358e348c752ea04ec697b6a0d1411833e9f2d5596f23147603cd1a3de3bcf4a4a7797a0916b4fb439fd63b469fa412168320ba2d1ba20aefd9782f98e4b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
9ab9c302e30a9cef3178708fc86b39a6

SHA1
1cebad8d7cd027bbd0f9a85cce73b32346a43c74

SHA256
a8d4a5cd0ff15d30aebe79aa8b66c44279d23cedabafb2218f28ca1493638649

SHA512
adc78bbb5a2320a3ed918bfbeadbaa4ea3afd2b5bbffe9ddffb264542b0282a898655d59cc5f85dd4185ae786e5ed8a06602c85402af289e7d1218ef2d558619

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
54414e11a4ffba3c88b198f032388a30

SHA1
2759470e36754321ede32341931493a4e033e36e

SHA256
eebadfc64f5ce5a8db8243a6e9f3b2a5423903dca36f6fdf333fd4be2fe56489

SHA512
4d547f92b03dffa4548dda963b96224b40c29388de6e60ba927630b86a6e4f4e1591eaa1fda2070fc295e8d22d182a732aa59bef74446aea3f94459ecda104d7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
4110cbaf539c539e8ac291b52386a2ad

SHA1
e105bd0b64ad9764c6c2eaec495a00a77a1e587f

SHA256
efe46d4d65163cf13442626b3511aa65396644ac1ad785cfa98a08459f6a7890

SHA512
9a4b33d64777475aea97c8a7b2667c94f817a4cc91d4070cb00dcca8c5a9ae618ba8acc343083ccb706f94e0d7c7554614885822684617a18079c82be0251c1c

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.2MB

MD5
a83c738643b29016aa5af2986f93612b

SHA1
19aacf60d12000c47101f4222f015b43b288158e

SHA256
fe61e89ba0c9e4537aeb503db0956e6c870cc8aca816f77b30cad90709394c34

SHA512
4b15016b57339359f7e9cab019797ebb15d364295201aa7264176d52516c56130ed5da79c82445ab38f2ac9b98d983cc2c9df9b27ef3deb1add86074fd2425cc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\279b514d4363481c9bd23d90022adc63\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
b51dfdffa19f5980f7963759cd38a9c3

SHA1
9a7072b0d868c5ceef0ec3b53fbc07876d5f9653

SHA256
72dd993972c98acd56882d1b464fe9f731513fcac48be531b56408ab87909799

SHA512
813b21b5b29aa6a76f70b00af002f8b74c286af90aeede74b2afd58576d6f13a6a7fb03f45bc924d28edc5fbfcab29c124c5b72f5f08850d1553da1164fb1833

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\cb8f572228b89adb9d19a6fae4ecc1f8\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
8395709a94e604ba325f20e2589d9e82

SHA1
c08eb8104c4615746ce078eb6fc4510a71508fd6

SHA256
2a4561d3911c463db39790aa1930a46464d4edef45f5d0c5698a095f1629af35

SHA512
2862a90fc857838674d3696803e3ebf62dcdd43e6016a35ab12eb689ba37da1e18efc9db9d1101a7fb64c000b1eba5f960ef161b597177bf6820834f5d3a1e82

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e610e681ca64e7ee8f567adbff92c89f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
864f40608b37238520451fed1eb7f3b1

SHA1
71d4ea3552af526903e60dd935ec5c371a5cdca5

SHA256
a602d5d0ede0be603bf2e47704c28dde7689dc4efbde8efee8ebfb046a5abc5e

SHA512
9851a6119a8fb6142f54230ef5fc60dd15a6e57cd41157c0652eeba7db5d85a4a192f9f8298ef716edb1e6bebd2d1ac0c104a65edf9e59d01ac4ab904b5abaa0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFA.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
da12ad857bebfebb967f68e25de3dd69

SHA1
a79d6722f451e7901e46a56ffb0b44bffa5266d8

SHA256
98fd04260943dba78745de726aa11c424b069c79bf1db79c489f42e320d7f8b3

SHA512
842545d21522a98e85c9ba5f40f561e8dd4d2377295ec93a3cd9292441c0d4d6c3b9f0d8cb1fcefa33722a2f21c38db89fc11873ef1e46036b04c7c358688797

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
da12ad857bebfebb967f68e25de3dd69

SHA1
a79d6722f451e7901e46a56ffb0b44bffa5266d8

SHA256
98fd04260943dba78745de726aa11c424b069c79bf1db79c489f42e320d7f8b3

SHA512
842545d21522a98e85c9ba5f40f561e8dd4d2377295ec93a3cd9292441c0d4d6c3b9f0d8cb1fcefa33722a2f21c38db89fc11873ef1e46036b04c7c358688797

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
8ea7cbffa47dc61bf474bb363920986d

SHA1
fb3a3d1f7360569800d07ff6302176f622e26ebe

SHA256
e89b889268e47e18f3b6447feab1e65a31d92d1be07cefefc69a60d7010c7eae

SHA512
bd9c048e24974b26f7ac6070661fa05b3cad22d24be61e4ab7ccc98c4ceda5698f64383f280e5a8c5abc359f53c5a901fbfe00d5f095f9459a7fd168da6a94bd

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
8ea7cbffa47dc61bf474bb363920986d

SHA1
fb3a3d1f7360569800d07ff6302176f622e26ebe

SHA256
e89b889268e47e18f3b6447feab1e65a31d92d1be07cefefc69a60d7010c7eae

SHA512
bd9c048e24974b26f7ac6070661fa05b3cad22d24be61e4ab7ccc98c4ceda5698f64383f280e5a8c5abc359f53c5a901fbfe00d5f095f9459a7fd168da6a94bd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a83c738643b29016aa5af2986f93612b

SHA1
19aacf60d12000c47101f4222f015b43b288158e

SHA256
fe61e89ba0c9e4537aeb503db0956e6c870cc8aca816f77b30cad90709394c34

SHA512
4b15016b57339359f7e9cab019797ebb15d364295201aa7264176d52516c56130ed5da79c82445ab38f2ac9b98d983cc2c9df9b27ef3deb1add86074fd2425cc

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
79c984155f6876b1a558bb5246f2876d

SHA1
bd8634f8947ef0481c04f05d61fdf1f889b88c7e

SHA256
e8b144b1cbc9941595623a1dea9781da28787b3ee4c8f948b67039863f3b819f

SHA512
cb29483ea72fed03ac92a7fc906f79870a33fe4bc54efce69c7579d8f890fa291404a2933ece34b18ff879652d35ff757aed464f9282ab1d4d2d7eacbf608902

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
3ba37c88b2d89abe9b26ed494e65a833

SHA1
8b8f2cb12db69de97a9e7f23e61d5ca1df0eef21

SHA256
01dee702bf9bd631f49049fe1787f1aa6d672ac2b09e2957d9641963a1f944eb

SHA512
652cc1ce4aa5245a89d8abc10c8f961af05dccd4a232eb9cbfac066697e01e337bef4cb92d56f4d8c1d8c99d14eecaf927860cf554aa540e06d98f9744456669

Download Submit
\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
0cc077fe6395931f97600bc5209ec386

SHA1
1241f5cc768f188bf6b3da4496b48a192f907ee1

SHA256
39a6b305470598e530dd17fcb6220dfdff5e57cda2bfde54df1d4eb9d73439d0

SHA512
b137efbb5740226fa095fb0d8232b3ae45f8bf0b704ba1d61c2bf4dccbdd0b044921be9a258400080115337464757d9ef3aa8d466691228c1573301bb14ed852

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
70f02f336f749ffbeea404a0e35e00b9

SHA1
3017a7dfe5f904df812078e71f9f7e348a9b6630

SHA256
ee1cd25b7637a7b3da880b1a98007694eef66bb648b89c2007b4245cf97a2e95

SHA512
a1459358e348c752ea04ec697b6a0d1411833e9f2d5596f23147603cd1a3de3bcf4a4a7797a0916b4fb439fd63b469fa412168320ba2d1ba20aefd9782f98e4b

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
9ab9c302e30a9cef3178708fc86b39a6

SHA1
1cebad8d7cd027bbd0f9a85cce73b32346a43c74

SHA256
a8d4a5cd0ff15d30aebe79aa8b66c44279d23cedabafb2218f28ca1493638649

SHA512
adc78bbb5a2320a3ed918bfbeadbaa4ea3afd2b5bbffe9ddffb264542b0282a898655d59cc5f85dd4185ae786e5ed8a06602c85402af289e7d1218ef2d558619

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
54414e11a4ffba3c88b198f032388a30

SHA1
2759470e36754321ede32341931493a4e033e36e

SHA256
eebadfc64f5ce5a8db8243a6e9f3b2a5423903dca36f6fdf333fd4be2fe56489

SHA512
4d547f92b03dffa4548dda963b96224b40c29388de6e60ba927630b86a6e4f4e1591eaa1fda2070fc295e8d22d182a732aa59bef74446aea3f94459ecda104d7

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
4110cbaf539c539e8ac291b52386a2ad

SHA1
e105bd0b64ad9764c6c2eaec495a00a77a1e587f

SHA256
efe46d4d65163cf13442626b3511aa65396644ac1ad785cfa98a08459f6a7890

SHA512
9a4b33d64777475aea97c8a7b2667c94f817a4cc91d4070cb00dcca8c5a9ae618ba8acc343083ccb706f94e0d7c7554614885822684617a18079c82be0251c1c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.2MB

MD5
a83c738643b29016aa5af2986f93612b

SHA1
19aacf60d12000c47101f4222f015b43b288158e

SHA256
fe61e89ba0c9e4537aeb503db0956e6c870cc8aca816f77b30cad90709394c34

SHA512
4b15016b57339359f7e9cab019797ebb15d364295201aa7264176d52516c56130ed5da79c82445ab38f2ac9b98d983cc2c9df9b27ef3deb1add86074fd2425cc

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.2MB

MD5
a83c738643b29016aa5af2986f93612b

SHA1
19aacf60d12000c47101f4222f015b43b288158e

SHA256
fe61e89ba0c9e4537aeb503db0956e6c870cc8aca816f77b30cad90709394c34

SHA512
4b15016b57339359f7e9cab019797ebb15d364295201aa7264176d52516c56130ed5da79c82445ab38f2ac9b98d983cc2c9df9b27ef3deb1add86074fd2425cc

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
8f31c6874d9f75e1a6131f442ebb5f18

SHA1
6bc7247bfbc10343353a59497bf40daac32a6a73

SHA256
0fb8e9bb42636afadf49be620b8cfdacc55a2118063c658d70f99b6f81a11a6f

SHA512
d7deb7de3aca9194bf6edc98998a851c095e694c772591dda2e7a6f99fea8b23cb79e530d4157a67e7908ba2cdca0572233231257e48a6b67b0953673a17b965

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
da12ad857bebfebb967f68e25de3dd69

SHA1
a79d6722f451e7901e46a56ffb0b44bffa5266d8

SHA256
98fd04260943dba78745de726aa11c424b069c79bf1db79c489f42e320d7f8b3

SHA512
842545d21522a98e85c9ba5f40f561e8dd4d2377295ec93a3cd9292441c0d4d6c3b9f0d8cb1fcefa33722a2f21c38db89fc11873ef1e46036b04c7c358688797

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
8ea7cbffa47dc61bf474bb363920986d

SHA1
fb3a3d1f7360569800d07ff6302176f622e26ebe

SHA256
e89b889268e47e18f3b6447feab1e65a31d92d1be07cefefc69a60d7010c7eae

SHA512
bd9c048e24974b26f7ac6070661fa05b3cad22d24be61e4ab7ccc98c4ceda5698f64383f280e5a8c5abc359f53c5a901fbfe00d5f095f9459a7fd168da6a94bd

Download Submit
memory/772-369-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/772-479-0x0000000074418000-0x000000007442D000-memory.dmp

Filesize
84KB

Download
memory/772-571-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/772-377-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/772-380-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1220-108-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1220-140-0x0000000010000000-0x00000000101BC000-memory.dmp

Filesize
1.7MB

Download
memory/1220-113-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1220-107-0x0000000010000000-0x00000000101BC000-memory.dmp

Filesize
1.7MB

Download
memory/1228-296-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1228-355-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1228-287-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1588-482-0x000000002E000000-0x000000002E1D2000-memory.dmp

Filesize
1.8MB

Download
memory/1588-356-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1588-345-0x000000002E000000-0x000000002E1D2000-memory.dmp

Filesize
1.8MB

Download
memory/1972-144-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1972-143-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/1972-150-0x00000000005D0000-0x0000000000637000-memory.dmp

Filesize
412KB

Download
memory/1972-294-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2000-160-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2000-166-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/2000-169-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2000-306-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/2068-123-0x0000000010000000-0x00000000101C4000-memory.dmp

Filesize
1.8MB

Download
memory/2068-124-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2068-131-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2068-175-0x0000000010000000-0x00000000101C4000-memory.dmp

Filesize
1.8MB

Download
memory/2240-579-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2240-487-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2240-531-0x0000000072F90000-0x000000007367E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-181-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/2372-96-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2372-95-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/2372-103-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2388-347-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2388-205-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2388-198-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2388-289-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2456-523-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2456-478-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2588-335-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2588-343-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2588-342-0x0000000140000000-0x00000001401E7000-memory.dmp

Filesize
1.9MB

Download
memory/2588-334-0x0000000140000000-0x00000001401E7000-memory.dmp

Filesize
1.9MB

Download
memory/2604-331-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2604-321-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/2696-376-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2696-307-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2696-299-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2760-472-0x0000000072F90000-0x000000007367E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-477-0x0000000072F90000-0x000000007367E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-476-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2760-365-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2952-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2952-2-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2952-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2952-285-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2952-142-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2968-46-0x0000000100000000-0x00000001001C1000-memory.dmp

Filesize
1.8MB

Download
memory/2968-47-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2968-89-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2968-161-0x0000000100000000-0x00000001001C1000-memory.dmp

Filesize
1.8MB

Download
memory/2992-184-0x0000000100000000-0x00000001001B2000-memory.dmp

Filesize
1.7MB

Download
memory/2992-323-0x0000000100000000-0x00000001001B2000-memory.dmp

Filesize
1.7MB

Download
memory/2992-182-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2992-190-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3044-322-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-543-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/3044-379-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-381-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/3044-384-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-320-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/3044-319-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download