8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
Size

1.8MB
MD5

1d11d8f4fe1eb214c58c190b3b371053
SHA1

91ce7878d66154011dd4ca602b3729ee551349f7
SHA256

8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb
SHA512

10bc3a7e16cd23b3204032aa53e0baa681346acac4a4afb16c1853e5ca28fb15b097e85cbe8dde333ddedb5acf0e35872885c19be276694d91ce885c32d0b4da
SSDEEP

49152:nx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAsgDUYmvFur31yAipQCtXxc0H:nvbjVkjjCAzJWU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2728	alg.exe
2780	aspnet_state.exe
2936	mscorsvw.exe
2884	mscorsvw.exe
860	mscorsvw.exe
2084	mscorsvw.exe
1984	dllhost.exe
2072	ehRecvr.exe
1544	ehsched.exe
2720	elevation_service.exe
2708	GROOVE.EXE
3060	maintenanceservice.exe
2784	OSE.EXE
1504	OSPPSVC.EXE
1616	mscorsvw.exe
1740	mscorsvw.exe
2228	mscorsvw.exe
1644	mscorsvw.exe
2496	mscorsvw.exe
1496	mscorsvw.exe
2120	mscorsvw.exe
1596	mscorsvw.exe
2748	mscorsvw.exe
3032	mscorsvw.exe
2032	mscorsvw.exe
1744	mscorsvw.exe
2228	mscorsvw.exe
1240	mscorsvw.exe
1580	mscorsvw.exe
2308	mscorsvw.exe
3048	mscorsvw.exe
1596	mscorsvw.exe
2204	mscorsvw.exe
1804	mscorsvw.exe
2612	mscorsvw.exe
1972	mscorsvw.exe
344	mscorsvw.exe
320	mscorsvw.exe
3004	mscorsvw.exe
1596	IEEtwCollector.exe
268	msdtc.exe
1200	msiexec.exe
2612	perfhost.exe
2444	locator.exe
2436	snmptrap.exe
2176	vds.exe
1488	vssvc.exe
1084	wbengine.exe
1048	WmiApSrv.exe
2672	wmpnetwk.exe
2460	SearchIndexer.exe
2828	mscorsvw.exe
2776	mscorsvw.exe
2956	mscorsvw.exe
2164	mscorsvw.exe
1716	mscorsvw.exe
2952	mscorsvw.exe
3000	mscorsvw.exe
2796	mscorsvw.exe
2180	mscorsvw.exe
2624	mscorsvw.exe
752	mscorsvw.exe
1324	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1200	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
740	Process not Found
1716	mscorsvw.exe
1716	mscorsvw.exe
3000	mscorsvw.exe
3000	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
752	mscorsvw.exe
752	mscorsvw.exe
1304	mscorsvw.exe
1304	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
928	mscorsvw.exe
928	mscorsvw.exe
1708	mscorsvw.exe
1708	mscorsvw.exe
2040	mscorsvw.exe
2040	mscorsvw.exe
1016	mscorsvw.exe
1016	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
2624	mscorsvw.exe
2624	mscorsvw.exe
1804	mscorsvw.exe
1804	mscorsvw.exe
2352	mscorsvw.exe
2352	mscorsvw.exe
1556	mscorsvw.exe
1556	mscorsvw.exe
1752	mscorsvw.exe
1752	mscorsvw.exe
2468	mscorsvw.exe
2468	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e3a9a87e93c0dc56.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_ml.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_da.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_pl.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_fr.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{480F60EF-9141-4F29-B842-74D3719A6611}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_iw.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_en.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_gu.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_ur.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_de.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_bg.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{480F60EF-9141-4F29-B842-74D3719A6611}\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\psmachine.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A52.tmp\goopdateres_hr.dll	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F92.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{10F65F0D-E177-4496-9DA9-D7FFFDF5D4A0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{10F65F0D-E177-4496-9DA9-D7FFFDF5D4A0}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP55BE.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D57.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30B1.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC0B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP628.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010ffe404fd32da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3008	ehRec.exe
2780	aspnet_state.exe
2780	aspnet_state.exe
2780	aspnet_state.exe
2780	aspnet_state.exe
2780	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1932	8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: 33	2732	EhTray.exe
Token: SeIncBasePriorityPrivilege	2732	EhTray.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeDebugPrivilege	3008	ehRec.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: 33	2732	EhTray.exe
Token: SeIncBasePriorityPrivilege	2732	EhTray.exe
Token: SeDebugPrivilege	2728	alg.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2780	aspnet_state.exe
Token: SeRestorePrivilege	1200	msiexec.exe
Token: SeTakeOwnershipPrivilege	1200	msiexec.exe
Token: SeSecurityPrivilege	1200	msiexec.exe
Token: SeBackupPrivilege	1488	vssvc.exe
Token: SeRestorePrivilege	1488	vssvc.exe
Token: SeAuditPrivilege	1488	vssvc.exe
Token: SeBackupPrivilege	1084	wbengine.exe
Token: SeRestorePrivilege	1084	wbengine.exe
Token: SeSecurityPrivilege	1084	wbengine.exe
Token: SeDebugPrivilege	2780	aspnet_state.exe
Token: SeManageVolumePrivilege	2460	SearchIndexer.exe
Token: 33	2672	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2672	wmpnetwk.exe
Token: 33	2460	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2460	SearchIndexer.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2084	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2732	EhTray.exe
2732	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2732	EhTray.exe
2732	EhTray.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
2548	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe
1592	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1616	860	mscorsvw.exe	44
PID 860 wrote to memory of 1616	860	mscorsvw.exe	44
PID 860 wrote to memory of 1616	860	mscorsvw.exe	44
PID 860 wrote to memory of 1616	860	mscorsvw.exe	44
PID 860 wrote to memory of 1740	860	mscorsvw.exe	45
PID 860 wrote to memory of 1740	860	mscorsvw.exe	45
PID 860 wrote to memory of 1740	860	mscorsvw.exe	45
PID 860 wrote to memory of 1740	860	mscorsvw.exe	45
PID 860 wrote to memory of 2228	860	mscorsvw.exe	56
PID 860 wrote to memory of 2228	860	mscorsvw.exe	56
PID 860 wrote to memory of 2228	860	mscorsvw.exe	56
PID 860 wrote to memory of 2228	860	mscorsvw.exe	56
PID 860 wrote to memory of 1644	860	mscorsvw.exe	47
PID 860 wrote to memory of 1644	860	mscorsvw.exe	47
PID 860 wrote to memory of 1644	860	mscorsvw.exe	47
PID 860 wrote to memory of 1644	860	mscorsvw.exe	47
PID 860 wrote to memory of 2496	860	mscorsvw.exe	48
PID 860 wrote to memory of 2496	860	mscorsvw.exe	48
PID 860 wrote to memory of 2496	860	mscorsvw.exe	48
PID 860 wrote to memory of 2496	860	mscorsvw.exe	48
PID 860 wrote to memory of 1496	860	mscorsvw.exe	49
PID 860 wrote to memory of 1496	860	mscorsvw.exe	49
PID 860 wrote to memory of 1496	860	mscorsvw.exe	49
PID 860 wrote to memory of 1496	860	mscorsvw.exe	49
PID 860 wrote to memory of 2120	860	mscorsvw.exe	50
PID 860 wrote to memory of 2120	860	mscorsvw.exe	50
PID 860 wrote to memory of 2120	860	mscorsvw.exe	50
PID 860 wrote to memory of 2120	860	mscorsvw.exe	50
PID 860 wrote to memory of 1596	860	mscorsvw.exe	61
PID 860 wrote to memory of 1596	860	mscorsvw.exe	61
PID 860 wrote to memory of 1596	860	mscorsvw.exe	61
PID 860 wrote to memory of 1596	860	mscorsvw.exe	61
PID 860 wrote to memory of 2748	860	mscorsvw.exe	52
PID 860 wrote to memory of 2748	860	mscorsvw.exe	52
PID 860 wrote to memory of 2748	860	mscorsvw.exe	52
PID 860 wrote to memory of 2748	860	mscorsvw.exe	52
PID 860 wrote to memory of 3032	860	mscorsvw.exe	53
PID 860 wrote to memory of 3032	860	mscorsvw.exe	53
PID 860 wrote to memory of 3032	860	mscorsvw.exe	53
PID 860 wrote to memory of 3032	860	mscorsvw.exe	53
PID 860 wrote to memory of 2032	860	mscorsvw.exe	54
PID 860 wrote to memory of 2032	860	mscorsvw.exe	54
PID 860 wrote to memory of 2032	860	mscorsvw.exe	54
PID 860 wrote to memory of 2032	860	mscorsvw.exe	54
PID 860 wrote to memory of 1744	860	mscorsvw.exe	55
PID 860 wrote to memory of 1744	860	mscorsvw.exe	55
PID 860 wrote to memory of 1744	860	mscorsvw.exe	55
PID 860 wrote to memory of 1744	860	mscorsvw.exe	55
PID 860 wrote to memory of 2228	860	mscorsvw.exe	56
PID 860 wrote to memory of 2228	860	mscorsvw.exe	56
PID 860 wrote to memory of 2228	860	mscorsvw.exe	56
PID 860 wrote to memory of 2228	860	mscorsvw.exe	56
PID 860 wrote to memory of 1240	860	mscorsvw.exe	57
PID 860 wrote to memory of 1240	860	mscorsvw.exe	57
PID 860 wrote to memory of 1240	860	mscorsvw.exe	57
PID 860 wrote to memory of 1240	860	mscorsvw.exe	57
PID 860 wrote to memory of 1580	860	mscorsvw.exe	58
PID 860 wrote to memory of 1580	860	mscorsvw.exe	58
PID 860 wrote to memory of 1580	860	mscorsvw.exe	58
PID 860 wrote to memory of 1580	860	mscorsvw.exe	58
PID 860 wrote to memory of 2308	860	mscorsvw.exe	59
PID 860 wrote to memory of 2308	860	mscorsvw.exe	59
PID 860 wrote to memory of 2308	860	mscorsvw.exe	59
PID 860 wrote to memory of 2308	860	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe
"C:\Users\Admin\AppData\Local\Temp\8a97ead0dcfffec62fee65b93ce746297a9fbc7b4858b0a05383272363782dbb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 250 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 240 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 240 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 288 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 270 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 288 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 28c -NGENProcess 21c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 284 -NGENProcess 1c4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 1c4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 23c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 284 -NGENProcess 270 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 2a8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 23c -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 29c -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2a8 -NGENProcess 2ac -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 274 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1c4 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 23c -NGENProcess 250 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2b4 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b4 -NGENProcess 1d4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b8 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b8 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 1d4 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c0 -NGENProcess 2c4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2c8 -NGENProcess 2bc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2bc -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 288 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d0 -NGENProcess 2ec -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 278 -NGENProcess 2f0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c0 -NGENProcess 2f0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f8 -NGENProcess 2f4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 300 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2e8 -NGENProcess 2b8 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2d8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 11c -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 310 -NGENProcess 2d8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 308 -NGENProcess 318 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 31c -NGENProcess 308 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 314 -NGENProcess 304 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2b8 -NGENProcess 320 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2d0 -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 324 -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 300 -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 318 -NGENProcess 330 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 32c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 338 -NGENProcess 300 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 33c -NGENProcess 2d0 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 314 -NGENProcess 318 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 308 -NGENProcess 2b8 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 338 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 33c -NGENProcess 34c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 350 -NGENProcess 32c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 350 -NGENProcess 308 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a4 -NGENProcess 3a0 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b8 -NGENProcess 3a8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 398 -NGENProcess 3c0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1984

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2072

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2732

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2708

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3060

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2460
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1268429524-3929314613-1992311491-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1268429524-3929314613-1992311491-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2548
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2812
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
98KB

MD5
7c999d022828862e2e999c31820e6e14

SHA1
08e9797c7eef932238ed078c353e9d64272389f4

SHA256
4e27ff4bd7a1bedd29809295345192ad37ba0780c37045c2915464c7cddc09f1

SHA512
1eac9652b72cd8ea201d4cb1d5712c10e38f680def9bd62a0e731c693d9422cbc4ab8ad3cddc0073c82b4299b92a4dcb9eb5f3015590ce7112674c3a0947e63f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
283KB

MD5
2973a000cbb371a13797ec81e18b0a58

SHA1
fcebe37a7a374bea347e3d08a866e20f43f4d9dd

SHA256
e50de0334ffac3e57763aebbe3c691c4b5f16148250d92c3021768c51b36d62a

SHA512
9ae5affacedcc93225f13f3546f3dc567c49622afce13379c7ebd6ef3e05d4a503b10e8c00caaf066563a381c619c362fc7cd70f8b3804813962c62bdecc9811

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
149KB

MD5
91ed200c78d8452a1eaed34ed7f34fa8

SHA1
d3c364d20b8cc3eaeaf937a4b2b153947ca4f0fe

SHA256
dda65ec3c4b869727f94ed2f8160bba9a9811f7adf17c9f17cb0ebc1cf4c0880

SHA512
f0b88d6e27ded9c86d06bb32f2b462c4c2a2bd56d7736519c8d8a97da4ae16cd2ba526279c3c2be2a7192b45f81c1969f1e93028e85fa5238675a66cc06b8c47

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
6ab353b730b925627ae59a654b88d7d9

SHA1
6238d577511cdc2a313eb63c9f98722f4c1198fb

SHA256
636763efbd43f7964ec1eadf5380858891d630d91f608873ec8a849d1d8cf9f7

SHA512
93fdc01d56d958f2e52d5c761eba5fe7e3851b56d0ae3eafbb89eb29e0097503eb1a34b87804100ef20e54cf821029c5b0cf633f534339a1291cf2758b285a0b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
238KB

MD5
dc6cf747ad1563d4bb16bca507cbf5c3

SHA1
165f983f6893b543e76e2d9178cef26c78db0d85

SHA256
24e2a45b8d23c7a4e8e35d108d6a3be74e5033a5b788e3df2a05639609197c91

SHA512
1bbb0380c05a6660dc6c095586d135008a938acba2ebbc8783d932710c7a129b2a14f96ae7a07aee77fea85b5500e4c6b7646b03a6aa6ebf16a4ae09b994ddf6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
45KB

MD5
274e53c183eaa97b0c0accc8192c70ac

SHA1
ab75da22e06d85a674bc0b60591396e2416bd189

SHA256
8899f924f71a185e8cffab1a3b6dbdd7bb1c99242c992b028f5869ee6fe69537

SHA512
fac9cca45a531be7a9b2dc95f28e5644e689bb14b3088f3f07d0c99b4875f509531670395f276b653410e0f3f155dc2421a47685c7f025f3140cf1b61bf7d05d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
930040effd395b3dc7208cc627b4727c

SHA1
3b16e3f489c2cfdeaffcb6a0a9bb509189619fb0

SHA256
6754a4e18dca65d1669c46e0b0e045ed0aa1a2bcf7314f2bf20f1f6b9880b007

SHA512
54c4ac8f9ab994cc0f59cc30197c1a81e21a7c6fa006ba160fed1d9f9bb9194856a6023140fa3aea38c2c237a35f2aa4a0dc473cb1418c9fab09410e50642f23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DPT6QZ84D8KO7EGDRVU1.temp

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
d8dbfcadb7f0dd065c10bec3bcb6076e

SHA1
bdf17e3bb5a62e71963acdd0ee8253242783b899

SHA256
e45cde1b9675762da5120dd92b6fbcc6a90646831d63a9d4960a71676f198926

SHA512
6fe3c547a301c4f81418d7b52c07e15ee43d22c9818c39e66d8cd160d4f649b17b0e23b0c9e83d6b6ea0f9a25adbea98c8cf0b13b4fc2e6b7f6a258ae97fcfcd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
642KB

MD5
8eb03ce974bde3d757ba56cde4db1499

SHA1
2abb502f3bd8747f5d23c4164e70ec7727e3a3bf

SHA256
63f6d9856abdcc90589cd4f3a40f84515a9852826cc3d04230dcf17e9f48164b

SHA512
d4a42f5b684d695ed33996e80fe73147230eab16da2ef09859e7b59d4ef0f8e27b9f6cf4dd96c726c6e8bd5c7bf0bfb36b7a46e47d9cb64936a5bfc886d37919

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
641KB

MD5
7fc3e2a9da6270bf5cfb0295c54d704d

SHA1
823fe457d583a596487e0b66eee79d49b1eb8e00

SHA256
a6f3560e1d74292ea3c2e8a64efabc8c26b9ec39147a4b01387851c8c6853c11

SHA512
ea206649e0fb33cd9383bc56cbf7d2b94b6f712bc9225af357303aab335dfab4f1fa0346337736bf33876ce230de6520752e16bddf76763c2a189c16ab5be99a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
409KB

MD5
b6bd179057cc245ec75c64814bae490f

SHA1
95e9c2df7250b8b1174c4df2ba35a50bc823cf44

SHA256
9c3562a15c85288393c6cd3c013a39739afca1000649c2a76cdc6c3681e0f933

SHA512
b9dba6339e7b9f92dd63c205ce511fe660f3e346c2b60c565f6c3368544c4a9cb3631812424f2b7a6df1bca5f0ee8933746b33dcabf132f5936a68fb4e3ab5d9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
94KB

MD5
85074549077919ff68100877354ee620

SHA1
1209e2d06511fd6db56f763f200b097387b0df80

SHA256
8113f4c117e2d8c7bec09d6201a989cc554b501f6fb15735db6ce559e3aa1e3a

SHA512
b7d53d2a08b0db00dfd539ce15526bb3d574b7c701f9931e1936040aeaed8cc236b7ae7cc5a187fa3a60fe74cc83c470840bb21a3aff1ee324f140008673fb06

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
49KB

MD5
0dec35d371c0d54a13c51168e293c986

SHA1
1a0705e28257429b44ce60b77fc36da93a1a5fb7

SHA256
de3c74e40c011850b072dba44e9ea6ccb8fbcaa5322cba4983cb094a71b0f5bd

SHA512
427aa2715662849285180e711e5663daec714263c606cc6ded9b28eef09e680fc131158b6fe65d85d133520a606685c252f2389fab6c6c6b12aeed253531e784

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
286KB

MD5
51c124081236579f35c32afe46a2681a

SHA1
25ebafd93d4234d029c74a71e0b299756deca5b7

SHA256
82254e012bf5567fdf83137ef1e8ddfaea0da3326a5f0c5713d82f5f9feef7a5

SHA512
575da56d9d7c89e052d378e15827294d8609a1311017d1ba8db5aa767d36bb3d7372a6453b916bb5b4702ee2a88928aaaf6fa7e86758352d167cffbcc5a9a5ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
345f60514a08fa91133e136c22f50f99

SHA1
df72c2c6435ff8002937719ec9300466096f510b

SHA256
135934282ec3b0f5c97d0e0f20d008bd5715c8c1ce494150b3469cb2e0da8380

SHA512
44e24acc5086db9727549d9ec8f8718bdf1d89c2e800b654f517a84743dbab95fbab662e9e8c889d43e6d91baa360da9a7a9783803a21b99ec309d2e6822e8f0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
f4b40b5798eebd963172e990356f7da8

SHA1
bb331ef330e778680664b2029b5b3bbb49070960

SHA256
305190abd4d6946726935a506b69cc817884069d6e549433914b3887d2fe4536

SHA512
a4bab96f32d4affc71c77c8a1eaec8fc8b6ee10c7555bda566852e22489de55ab9b7539f5fd5f14ca4b8a6811dee10c57102bbfcec87d56996487f3ee86e4567

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
210f220a162c1c1bc889ef937e5ff1cb

SHA1
4d853b0a34cd1f834940aeaee26c59c01b65eef1

SHA256
ffe1c3307a33ec4073f84b8bc11ddd17f5e1ecbf43de75f5b8876d59f18341ca

SHA512
b30e4a44bf1ff87ab41ad2ec416cffcf7cdc8b6cab1f23533f0c767c30f741835e9a14473ee395e73397b7155638505af77bfa36babfd2dc73fdd3384085b824

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
809KB

MD5
4fa465c3329d3c10a7d46d191fcdf55b

SHA1
c14f46c0118f70904b3dc147579a77862d85730a

SHA256
1df5b71119a083ec7f724f90cf145c6f792f376f30b95fb8a457079b7f589a95

SHA512
c96c96bbd24487cdb8a473b6f2df01d87996e9d3817b2ea0552fb8956a5fa9f0a2cc2ecdcadcc001e43b7b4f7b75e17435a7a6c4ff7f21a091c548806729c894

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
36KB

MD5
ddd0fdd426788cae73302f8898b702b0

SHA1
1155e3027570f31c7ede6d5e5a42aaa25fa08b16

SHA256
1cf58c4560ad8e4403f0cb8f54910f90ad1a85c740ae71749a107c87982d03d5

SHA512
64dccb1ce1fac649ef41b60bc1fcc714b68100226c2d595a2719502d22c1c94376ac03b5e6d7322db5e84802712a973916feb755105a004271f060b2a388d3f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
14KB

MD5
4a08006f4c0178b94c9e635d5b9ac7d9

SHA1
e4732c388bdb3de1ab511b0daa5bbd8cedc8939b

SHA256
2460679386f99169c0b2eabec298e79446670cc34805e853e9ccba9a3bd0c8a5

SHA512
9b8d9402bd3553dd1f27e9e7cc45b2d3e7f005878446b7079328f629dbf5e2b7b17a482afe8746af8894cc3c992428be9a9a3fd433a9830f9a8fc9907483a802

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
658b649880c80156117e3881a698ba0a

SHA1
b6cc8942601f678c00451700d8cd7d536312cf6f

SHA256
48bf3b97a3954ba6d4d803d05bccb8042ccb567f33d1737dbac5a6727a255365

SHA512
28bffe1cef6f47829e5e9c0a5d8e0119929682fac40a68a1b09fdfbe0f708286d970ccd3c6e08d11cb54a1a68d295bb6eda17939592518201b018a76aec3b34d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
5638fef15f9e86c8ba4321ca04b449c6

SHA1
cf669c9a3e78cb9b9080218775cfd0defba02c3b

SHA256
079cb13a62c3658b04c3f09ba6e553eb23c585c379162960051c450eaf103284

SHA512
af4b0d8d93dfd5575b95b2ae71d7e5d95ad4524bddd8e757c65febbcfb4d28bd6da61cf03664303d7904d9e01eac6ab9edf2e2fd53a6a285a6787a2aeb2e9631

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
80KB

MD5
5b5f87d7ecb7f6ee1dcf5f6b1d7189cd

SHA1
fe161042d859484b43ef8f9a8bcc6af9d2370984

SHA256
4dd1202420f9b697f66cd5721daaeb17e4f1c128a9cb0cc10a1962621f7e1c38

SHA512
462651022685b4621cce3486d5a49f9782c7ad0ce7da0c64718a3783de1244aee558f2365578aefcb1b4dda12bca1e65604b2402b427d5a168d0f650d5cfaa5a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
108KB

MD5
e85b03513dc93e7802e754cdb7670e4f

SHA1
a3d6ec7fb6922113b84346810256353fdc1fb21e

SHA256
d3061461b9ff983722ac8b93f97258331b92630d529eea45136b9446cae2c6e5

SHA512
6ac3c1557dc00c29a326e7084752ce1cb657c869139bf2db6cbc5cd44f3e16084eb3cdf8313003da0780a8e742da6413604178da2c598553176887a8a5d095ef

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
113KB

MD5
1bad303979d3f86bcbdf1a9477578cf8

SHA1
0cfb89c1e4513a0a0c05242d1856e13a000c741b

SHA256
16ed26e88341a34b48002bec163f7533fbfa16c13f833b20c366cd92c53baf4d

SHA512
b813414fee2e02f149248e21a6c3f9773aff77e826f6f88b1229aa45f4b8526ebbdf9073fd89dd379f0b78b858d19b99aa338911fd13e898b1f6be7a0d08f405

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
216KB

MD5
3c90056d65c82617824795c55c90348b

SHA1
9c2f9b892ebd991806a9c335e1650a054952f2ec

SHA256
9fe8fe8a98747fec6ce43dac1c8280c6c3fc2c20e1cec8d7ee4ad39ed848f844

SHA512
a776479c3ebfb8f4c86bc6fe326533b76d510bf5196a120d07bd689abd93383f3039a582873fed0bad478c4e8057443508c0b0646e81091b9f61b97cac0f0c8c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
279KB

MD5
97ebfc7055b081ce24c613d75bf840c0

SHA1
f6d7ef5166981663f4d2742058102530ef10f913

SHA256
9a25ca3a4a2c2de0e7fa5e809acf2ad18be55a080ff14edca861a622e66dd1c6

SHA512
3c1437bbe2955aadb464f769e9bc76a3f068f675b8473786bfe09ecf92c059f37c55f5bc7f805d87fa57276180c9d7c57f4291361cfa26577f2658ae3883f3e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
158KB

MD5
ab7e49cc607251597a3239f6901efdcb

SHA1
a5dc532b53c776524d274910f4940986264b55a0

SHA256
118ed82cd4f20a735eb844da408ef0593133c38eee3ae99f3ea3b919b5a07820

SHA512
7eac9e337cd3cdb03fa3f963656db7530d3aa2a762eb4d20245de77ffdf529692d2469f0238d5b93b46df3d0fdb59167bb8c4ad3f12618ec01f4ac4c49ba1fbe

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
248KB

MD5
b04324de04457cf6c74c137635a4a27d

SHA1
19fde3a8701457fe5db8e5a171b6dd0f12141b70

SHA256
bdd3ec642dd9be783c488c4357256ca5968362446bfcdef828f80de9e3aab886

SHA512
e57623b3f591e291db8c052c4c238fb26a9c8da5114e478b031afb631236f2521ce3e029f9d3352952c66b6fb8fef766e4e9261d30fa0d97a0c8d44c1a09b070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
127KB

MD5
c5f0c209658506407777912ec9db5107

SHA1
5fcec57fedf2dd94862cc441777288437222e1eb

SHA256
ee3408b44fa2c7959155ebdcf4860f1483cf50dd0b3912c7cce6104c4333385c

SHA512
a7a24336a85786e18b31fc08eebf2a642ab8b5dc715f0bb747e02d0c0f684fd6da671abb3205c642e5816264a8dbc348a2d411b32f53b7ac5851278ec6be82b1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
54KB

MD5
987a0a795896ffb450a732e8057943ef

SHA1
18ac6eba351d57a25932e2d57284e0bfa114f27a

SHA256
3b06c3c55bba9a9cced825bbfcecd4038dd921dbd7f55c040f84431bd269a534

SHA512
f963d4f9a4ca6e765e3556e653a69c2f15d167faf6cdb8e6a6dcbbda44c6686a8067a63b8b0cd2e5ba91b598d8b50b83f8fdfd157cd32dd55b927d29d97ba6b4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
16KB

MD5
d5492e0d5d63bc3b23758230ed0e4186

SHA1
bc8608b1e763cfbc855b71dbe35676ba870211fd

SHA256
242de959dcf4e242cc28dcd2791c55903e69db0051f6732ac7eb4ff6ff5c6cf0

SHA512
fa891a1adf445b867d619eefcac296f85afa52447823906c00e6bd7695ecd7e816f1b93a321265f6cd236605991e3604b6057a9f7e70c54f0925edf1aabb915b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
305KB

MD5
a8443dd73c90d69025d772d5bdde1f1a

SHA1
2ab8ff4d3b08e303a0aecba47b598024af94c51b

SHA256
d71e79c974b138bf3f86d00e101e21a0f87e72c3b3a812069a129f98d1873263

SHA512
8aa1bba59f7e5fc22109efda21a9eb9ab547d8c375eb7d65b38405aa94ca2457866422aa4a5ee6ea8b4e9fe0dc55a2bd3ba9283bad21fdbcac63366fc72428f7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
362KB

MD5
28fb62629e5e1219c74e0f6cccc1a697

SHA1
992da1051cf002b933429c5ef83a8cee8ecc5def

SHA256
c8a4ea040f354a6a43aefdf164fa4e97399d7b66c6a1d5404ef530bc01dd3024

SHA512
0c225369d67947f2f1ec03602cd4b58dfa0b1d32106d2c1b3c0983bb02a9ba92649b6e800678a5110a7c4945a68c0438435a98f2d2ffa3520b7346602084b6bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
35KB

MD5
95884681db485251cc6e1f54cca48655

SHA1
de0d1e86b7d2c251fbd25f4d7d3850e0a82f36c6

SHA256
8348482a306b7a8b5cb47d9b5b90c5fa4b3a8cca26e996781f6adffafa96af98

SHA512
d1ff501a8b811de4ac5bd7a179f1bac0e8a457aa6696f11a8af211237d195acc6090d09cdcc9722f3fe0017848f8ae8383a942df23f835d864bff47be2f90b0f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
455KB

MD5
a7b0c1d80914d7c7a776f9046ba99ccf

SHA1
52df9cb0cbfd9e9dfc3cce8c33f071cbbd151787

SHA256
cae7ef4477bb69ba277a89f9a585a71d7b2ce82afd63c10b8201f0235fe0a924

SHA512
4b5f065c8a9a891f3247eb54f654424ea4bc927b27778df10742d835fd44ea2af789f2ea860748f0adbc2f3d6348cf980d77d676c406f27dbd72d43705d40906

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
264KB

MD5
5214bdeb371d90657829c5d3c8913aa3

SHA1
0a4228ce824735e33a7e029865968192794bc222

SHA256
868c21462a88ff4e258a754445b4b9cb8fba908d2b59bf6c739499ecf482aaa5

SHA512
7192a9d77fba427296988f73ecb89afd730b0ec07a75246d3f7b2e68834ad8bca782bc997c18c2fdc17fd4b32b8eb0365dba8a13d90d44706e47ca46ad87444f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
479KB

MD5
d23b5a3edd6e112f7a64502e9d3f2cd9

SHA1
4ea28cba9f33a3e142fc205cc9a64d3f847c9d9d

SHA256
f22d72cb4a77680c4a5ae5f54e242d71c1c1f26b541eeeb6f140091d48e6e428

SHA512
a2f8df2ef044990f2df77685fb4a4383c7572af551a0049730edb18c28ff43b83b22c015308e65ee4c214744d23064835044837ff5caa007fae1199c1cd80f19

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
228KB

MD5
342e5aa76f722d642b6b3c74bec289b4

SHA1
0f34ac79b58332565e4f880f08c8c8455b589918

SHA256
8577062084721b1c2d17dcf2bfee5fcb02ac1e8b9e3a40f4625b48a433ac664d

SHA512
97db71e92a4f352ce6a495d84abbb2c2cfaaf8ad70c5eba93c3019637838a8f0e6e03f9526fdc1dbefd03810d94530fb115fcf89bb404d3a8b2a4a1ad0b7877d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
1f817da6f1fbfe3890bd20884c208045

SHA1
d5cc5887b924e1b31a6179912c8004d3a2fe73c4

SHA256
bd677a7d0f15923f65b9cd9686251e7fcd16a55778270530526f7fd319e5cdf5

SHA512
c87a880cd0dfb915fb2468d577400e4b4584fc5ae6cd6a97ed2a1d1889119c8d5de7b72be97c4ebe9ef59eaab60960b1aecb562e66379f0b8982fd74192b0392

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
264KB

MD5
de2aa692a41b63751791ebccc00f901c

SHA1
7cddd1f5dbc5a0ec7552ed60a15e5c57b6aa7ef8

SHA256
b1e2ed3b72a0ae2f85613cd06fa26f0a897fdff5cc0cdc0affc27c5bafc328dd

SHA512
c368f39e99609f4aa90dc1ff76059928d06438c38466048a0174645275807e48f8f21714f7539fe40f863cbee91997b48acc1d334554b0d2b513bdc031d82a25

Download Submit
C:\Windows\System32\Locator.exe

Filesize
69KB

MD5
9ea7f7207146de0ff2545b4eded9e7e0

SHA1
6789aa8a140daa654239844de5b24c57b531830d

SHA256
942352c5943e6d454e3bfc930ba1fefd005924c26e1b99af6f1b9a274f76b366

SHA512
4032282d7c907b87c194005ba4f207679f526e2f7818451f3a4b73354ef27135c92e67e654d30c7e303cf3d008b3b26e7ed12f602ec7e4ff1cbb7337fa90dd07

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
361KB

MD5
ea9ee296127e749caf763ce04fdbe564

SHA1
7e04fb72e3c5b70d092a984aa8a78d43d0bf1726

SHA256
bae3598aeeddc6744cee0f6fa9275ea4942bb68714fd0c8e6bf6477fb23db292

SHA512
71628872c96335a8e97c1af8103adabb86ec08520c4b5e993f7f60e455d5ef04fe2475173ea07b7281380da636398e4c8a411e74761b8b7bfa257725f3daf27a

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.1MB

MD5
2d3f409887824b4cebb276f0c67de891

SHA1
48e9a772245c349d3351a5bd99013f59b6257871

SHA256
9462d0f5ed7c1b181061ce8040833c6f1a2610ecaeeb3bee67d42ececac0f108

SHA512
aea80a947bd40f71e930bf21728905c268ac5c86c58b91e7a21ee395547856251e7b9d457a0d918a1264e45f06f8be53bed03588ae84c28f839ba417f302a65c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
505KB

MD5
fb8aadafed955327e33913a548552c34

SHA1
ac3e556c881bd45bf2c89bb1a0b3d2f03939d51d

SHA256
b26074f459186df9d1ac66cd5762bd7d6f36cea55b57296bbe03156248347781

SHA512
f3fee9ed982af106664fdb2fff72c03ec12f800410f45e0d29a593b152b94e9a2d34108d236b446db470fc088dfadc7483f3f7d372599b15b45ff71961b3ee33

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
100KB

MD5
e1682216540599cfa914b9d261e64eb2

SHA1
040ec5efa3119526ee2cfe20337543fe37ee2635

SHA256
9ae5dfadb174069dcfcf1694d410901e899a18c6f3e99b956fcf043d5184e1a0

SHA512
c54a2c2b892ac5be4d9299f1ecc480e04cbbb96b43caedaa5f4cb0ef3baa1b5ddb6a7bd576abbda6902b9c1acd83cacaffbd8d278e47a42f9d22bc01d6713520

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f8d39acda02b82de05d1824190acbd0\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
61a0601504800a2ee8bb7e2a70ef195a

SHA1
ba1b823ec5a372dab4785f18569b7bc9e36726ef

SHA256
216268106ee3972ae06c89672b53d1466adc6b368b5437bf950b5e5141f608d9

SHA512
1f8000a985a430ed1f51a9f9cad2e335561fce07b1786b92d0a9dfef24b7f7589fafb1d353003400e9894cc927578f107e76660b1dfba297061d65fd6b6a5c10

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\45b2b162ce5dac68910aaf9bbc73c1c7\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
87ef55f971da3aebd548af05b90e7638

SHA1
ca75ff3e8540e26bb7128386102153fab990a5c1

SHA256
65409cb9da57847b3c45771477e9344bbb51f0951f1e73e259d44c2b8da95de5

SHA512
d89efec10b50d3aadd79956c0f412407f105bd6028186b6e92f2cd46f3ff115179557f25dc93e2a245d48d54dd97d9ca4afd7c9b41cf79edfadb2b3d70600bdc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5dc1779af24d89d84fdcb02bcbc2a56c\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
0e62f1c04722868f9ed87fbef75bc42f

SHA1
15663d93286cccec929817b5a8395b5a1a68a0c9

SHA256
737a3998b7b72939894d6978a9676d6afe06158ef2adc06352d0541194a22c7f

SHA512
42fb5baf7e210ca981f7d7c346784d1b2fb07892f94bf942461bbd140840ec4db07b90abab0034863045496eef7d034af8b7507babbb472b8d963c0a1b1ce193

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7fab984bd207109ce501e5b8d35cbf70\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
598fab735550d6800bbb261c71d03ff1

SHA1
cc814d23a4ba7f49149c69d0cbcbe6713e79686b

SHA256
6ae6ee2d02ed6c4650b781b613860669962fffe459416a7fb31d1c277032ce4c

SHA512
067eb367324df995945fe2bb95389c8157065131bbd8ec821d6472ce13844efec06f6590293d72670f2ef562eafe8dc9afd70448290e615d03c5feed77229197

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
93ffc4baf3ea46642f316e85842a304a

SHA1
19fe284115447a60056ebe07b20dc0deb5894a12

SHA256
65e47dc01e5a2f16a6cc121181a714776ea62d6c8549c1cc071e240448b3f553

SHA512
8d21f970c02ddc83e66878cc63e1b540efce05b297ca3c74fc046cda9c6fb8c7a44f66897052cc1a2ca24b362a682289fa5f2fc0811e4c38295c89191f2162b6

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
108KB

MD5
1a035c3f28db94bb311358247c4727bf

SHA1
66da886be3f1c5b94d2534afe16bb13d4cc159bf

SHA256
a683326c5c53d7a6519c76bb07b08029ed003d715018a613cf31d87c15018bd3

SHA512
bcdb983cc3c8cea6d56138d47bee59f09a320c7fb87c9db70da91f36465988bd78e2e96aa179554577b9612c5588371eae6fbb8b1748bcc8547e7ae021f7b2b8

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
0aee24eeeb21ff9fc0433c057fbc37a2

SHA1
0c5980b6adaec858d83f47886d0b055d6ba58f53

SHA256
b2e5a628bc6cee446cf4fa939ba2a0b73e16611cd2bd4e7fc711b1a125e1bd19

SHA512
1b0e2e22ef547ab8eb800b9c74ffbeb13aa8f26c1aa0487de6b0c6e2e9ace72426b24b472b9d616b167cd09846c44ccd3367aea86b601b39112bb560038c68a9

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
a65cbb2439510f8516bd309f2eb00035

SHA1
0161503159852ed4c79215e7380428780761a1d0

SHA256
d46ab4c810ebe0358345266d5b41d81619d3eb8e0130bcd5ce61bf4ebd4286af

SHA512
246713ed636090bc3052e3df91b7d6e61e6ff3bf15a6a02c55641b70afccb05ab009cf7991205b0b075049138d97a4f38fc0d924b54f8f041d6e0d4733555d4a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
64KB

MD5
9b50c19127bed71c823eb003d78225ec

SHA1
e15e126bcc39eb370cc0c9a2f04d1775ad5051bf

SHA256
99b6f00fd89aa9f74915f0560daf806beeb960a73f0af4ab6d95759a31fbb334

SHA512
e3d3bde77e4eaca11b21bfa57c65b523958dbe0e14e1eb132894c0d1292a0f071b8a4d8f19de237dc32d59aae739a7f86a5d1304402a1014ed83f542c6df01d6

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4a96f7ca2619684269b17dea32feff9d

SHA1
b15558131cc8f8d9e922444251362a32886a9204

SHA256
f58f302c08fd08a793202a91064d0cbf91dd390bd1b9142ee7f416cc3fd81f14

SHA512
3374df2989a8db5665b76ce49a793ed8e60f87ce976cf54bd6d56ac7624579bebc79dffec8bfbff4b71639f401bd91d3e359c503403079282a51cf3bd2a56b54

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
560KB

MD5
6dd1da0376238c14303a0493279ece5d

SHA1
975835c1e1b3ff10eb3bfcd7d28e5aa9d8991505

SHA256
415e05dd309da7644a27a24f9da116a706e6f7545113102314a16391c0ae22b7

SHA512
287581c5c3ef1cb062152d59ffb8875429d5578d025a036b5c090ba312d096f6352cd96b743427dd212e0875ff83d9ca38e0b5870cb45ea776935510626d3f25

Download Submit
\Windows\System32\Locator.exe

Filesize
188KB

MD5
8d7eb5aefe147ff5322584af3e4c7a17

SHA1
a47ef13c8925d46b79e385d47bc18a19ada4627a

SHA256
3151d1cf9c7a24891f701e06c0aeee4b1cf3face72b24e36b5ddc07b7061bf58

SHA512
5210fc5466fad59767d2be0ef9c65a0b9abed4cbf67743aed303964e2a485f1748a43b6f2b1dd12cada5f21beedc20359d7b31dddb6e39b95d00058c628585f2

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
60e36ae3667f8524ef23e2265a7d559d

SHA1
09c0010d9cc0a80272bf6772612cc73a67b7fb9f

SHA256
806459aa21a113a4dc24587a17d94cc5e4dad079c5514264f6ce6cf93a20e5c7

SHA512
636b6bcf4803e3db2302a9853182585a9235dbc46c165463c1f2623a6ccc40e4625139fa71e0332bf14d75178d4290312c0bb65439870b5c0f23195d7ab027f5

Download Submit
\Windows\System32\dllhost.exe

Filesize
359KB

MD5
ad91b9d177175f37f5a6d61e926308d6

SHA1
f470d1aa803b9f85cb6c9d7d5855df97580ca560

SHA256
977d795dfc977e5c74b22c14dba5e13ad0434d750d8fc5447f390e743af89864

SHA512
5743af6abaea3e9c5db0601a74cea2e242e0661dc86e21eb31efaeaea3e3d9b7bdff32ef9a8eb23443c547c244a540c8f090e8c549fac781f00cc33c2dcc824f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
c4880e4257bdcf848fe3a02b7ca850cf

SHA1
5f647d46c8d7e17ef42289aaf6c21f520f0d08f8

SHA256
c3c06af48706cd8ee561fe321acc42ba1b854a7dcfddc8a03a5aaf17d3425f1e

SHA512
1738e3a9486b7ae9a05e211047d745ac362aecc12cfd69a6608551d2b9f1d37d42d7f13f225b8d83919df174028a2c6f98cd3a4b708628fa88b9f3a781eb2372

Download Submit
\Windows\System32\msdtc.exe

Filesize
519KB

MD5
343611d7f1980df59a7ee261980c97f4

SHA1
c9813016ea84c2465463fc17a593ce8405c91ebb

SHA256
380c4a24580884e81097aa4058252b525301d02e0814b0d72ba5f47854ebaa47

SHA512
17a8f96aa966709b61751563e73f9560b53efc4deecffb037a9243e4a198f38d251f68d808abc3b0782e743cee3590cbb8ab12098a44f5a26d3071b7b78368d4

Download Submit
\Windows\System32\msiexec.exe

Filesize
129KB

MD5
7ebae880fd20618bbb5395c27b28f154

SHA1
17f6ea657790cdd9f3d2e669ccad46950743490d

SHA256
f9f1ef043ccbac5a81d6ad132542830137dcc5db48327eb119abe44dd65c01eb

SHA512
559d0f2ea0c88343c02399c6cd107d9a2f8fe048fa62e96f5a507743cc3d46d3f53045bc1d6b9aa4bf68b926438f173a95cb2c30ed6047ff4b742255f333f1bb

Download Submit
\Windows\System32\msiexec.exe

Filesize
17KB

MD5
08aec0463a4cc3347444c6a0e02ddcbf

SHA1
dee6a2396f86bac696a7a12db3ae5577eb7390ba

SHA256
2f6b077846d4c409b90fd802d38a778c2086ae5ea6f9cd0e475573218d138f20

SHA512
32cc13e514b3afa4b14f5459d22bcbfc11d084102e05fa32432b61ddb347e09fb7204bc0dce9bd0c57a639f746d1b3ba01eef29d56f5893923ad0cbad9dba651

Download Submit
\Windows\System32\snmptrap.exe

Filesize
867KB

MD5
80b0319444bcbbffc1fd20cd5be9dc8f

SHA1
fdb661b7bdf6e7ba254cd8b83cc0693ee44121c5

SHA256
84a3d50741991e64b6897756d966d692e36e95fdf39dc914cd252db719cad0ca

SHA512
835fc7187994ee209ccc72a1dda0452a87495de7ffdac1997b58bb99b428bd18857265525c2023a96864a047af53d990a433fe4f8bd6a2cfed9cbe6b34fb6b5d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
188KB

MD5
4e505a8d5ddd2fe520285b7406c54665

SHA1
e4ada8459874ce84dfe000ba21d5d8115e1c9fc2

SHA256
591a08b09c3692853f3232fafbda0c697e0e96e833879da4402f26c590dfe2bd

SHA512
35bd37a2942f3ae6ef7af3b840fdb6ef4be5103806c97646fcb5f658f89c18e1398a7e364296b321f7c5a5ce7cd15fb98043eb0f66b1b40a27953269b8a9a72a

Download Submit
\Windows\ehome\ehsched.exe

Filesize
241KB

MD5
c60e51d2ee5123d91c1fda825c2450a6

SHA1
ff0545d31060cbcce44f066d56ba65c04935bc8e

SHA256
1d35e98a900e0582019df38e697a7bb9b8adae19686fbfa29905988b290a35bc

SHA512
0d1a067ab33ba2a676faa6ba2ac35aa41edab058abc503bd594c8cc1180be2d08d6eb151b801ae31d9427213445b090622c1e0408e54638ba14f1f5ede2ee41c

Download Submit
memory/860-145-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/860-143-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/860-149-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/860-293-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1504-362-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/1504-513-0x00000000741C8000-0x00000000741DD000-memory.dmp

Filesize
84KB

Download
memory/1504-482-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1504-356-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1504-366-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1504-376-0x00000000741C8000-0x00000000741DD000-memory.dmp

Filesize
84KB

Download
memory/1544-206-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1544-348-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1544-291-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1616-481-0x0000000072A80000-0x000000007316E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-463-0x0000000072A80000-0x000000007316E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-441-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1616-479-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1644-577-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1740-516-0x0000000072A80000-0x000000007316E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-485-0x0000000072A80000-0x000000007316E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-477-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1740-519-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1932-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1932-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1932-282-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1932-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1932-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1932-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1984-319-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1984-184-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1984-188-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1984-180-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2072-363-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2072-292-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2072-337-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2072-193-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2072-201-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2084-171-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2084-166-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2084-164-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2084-304-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2228-524-0x0000000072A80000-0x000000007316E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-515-0x0000000000C10000-0x0000000000C77000-memory.dmp

Filesize
412KB

Download
memory/2708-330-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2708-318-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2720-305-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2720-374-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2720-295-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2728-23-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2728-24-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2728-84-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2728-163-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2780-181-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2780-95-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2780-96-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2780-102-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2784-350-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2784-340-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2784-470-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2884-124-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2884-161-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2884-125-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2884-132-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2936-106-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2936-140-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2936-113-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2936-107-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/3008-322-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-573-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/3008-385-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-317-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/3008-439-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/3008-549-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/3008-442-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/3008-316-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-335-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3060-336-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download