260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
Size

1.8MB
MD5

1bd883a27bf694ac1ef81c9f5399b1dc
SHA1

ca91d8893d9f12fb8461df2d3304809177bb1962
SHA256

260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b
SHA512

281614ac257231b8427e1419412d89e1374d5836681a5e2ea543b21db4dade25c32c3c324dba281c22ff6495ac012fb5198721a6dc5aaddd2d5d39438ca83282
SSDEEP

49152:0KJ0WR7AFPyyiSruXKpk3WFDL9zxnSeN/j2U4FH:0KlBAFPydSS6W6X9lnjj2jF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2172	alg.exe
2660	aspnet_state.exe
2088	mscorsvw.exe
748	mscorsvw.exe
2180	mscorsvw.exe
1632	mscorsvw.exe
1172	ehRecvr.exe
2444	ehsched.exe
396	elevation_service.exe
912	IEEtwCollector.exe
2732	dllhost.exe
2648	GROOVE.EXE
3024	maintenanceservice.exe
1576	OSE.EXE
1412	mscorsvw.exe
1864	OSPPSVC.EXE
1608	mscorsvw.exe
2856	mscorsvw.exe
2416	mscorsvw.exe
2476	mscorsvw.exe
1068	mscorsvw.exe
2668	mscorsvw.exe
2844	mscorsvw.exe
2944	mscorsvw.exe
2240	mscorsvw.exe
2260	mscorsvw.exe
2360	mscorsvw.exe
1624	mscorsvw.exe
2032	mscorsvw.exe
3016	mscorsvw.exe
1752	mscorsvw.exe
2708	mscorsvw.exe
2848	mscorsvw.exe
2440	mscorsvw.exe
2672	mscorsvw.exe
1308	mscorsvw.exe
2060	mscorsvw.exe
1644	mscorsvw.exe
764	mscorsvw.exe
2524	mscorsvw.exe
1912	mscorsvw.exe
2916	mscorsvw.exe
2120	mscorsvw.exe
1052	mscorsvw.exe
2636	mscorsvw.exe
1592	mscorsvw.exe
1600	mscorsvw.exe
1716	mscorsvw.exe
2932	mscorsvw.exe
1868	mscorsvw.exe
2312	mscorsvw.exe
524	mscorsvw.exe
2136	mscorsvw.exe
2388	mscorsvw.exe
2816	mscorsvw.exe
2680	mscorsvw.exe
2800	mscorsvw.exe
1456	mscorsvw.exe
1812	mscorsvw.exe
792	mscorsvw.exe
1676	mscorsvw.exe
812	mscorsvw.exe
2144	mscorsvw.exe

Loads dropped DLL 44 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2636	mscorsvw.exe
2636	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
2932	mscorsvw.exe
2932	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
2136	mscorsvw.exe
2136	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2800	mscorsvw.exe
2800	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1676	mscorsvw.exe
1676	mscorsvw.exe
2144	mscorsvw.exe
2144	mscorsvw.exe
2484	mscorsvw.exe
2484	mscorsvw.exe
2500	mscorsvw.exe
2500	mscorsvw.exe
3056	mscorsvw.exe
3056	mscorsvw.exe
2396	mscorsvw.exe
2396	mscorsvw.exe
1224	mscorsvw.exe
1224	mscorsvw.exe
1548	mscorsvw.exe
1548	mscorsvw.exe
2124	mscorsvw.exe
2124	mscorsvw.exe
596	mscorsvw.exe
596	mscorsvw.exe
1308	mscorsvw.exe
1308	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\40aff0e1c0d5d3a4.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\GoogleUpdateSetup.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\goopdateres_ja.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\goopdateres_mr.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\GoogleUpdateOnDemand.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\goopdateres_ko.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\goopdateres_kn.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\goopdateres_ar.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\goopdateres_lv.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA0.tmp\goopdateres_fa.dll	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP54D4.tmp\ehiActivScp.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFB9E.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1610.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDD6.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4FB6.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
984	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1740	260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: 33	788	EhTray.exe
Token: SeIncBasePriorityPrivilege	788	EhTray.exe
Token: SeDebugPrivilege	984	ehRec.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: 33	788	EhTray.exe
Token: SeIncBasePriorityPrivilege	788	EhTray.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeDebugPrivilege	2172	alg.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeDebugPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
788	EhTray.exe
788	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
788	EhTray.exe
788	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1412	1632	mscorsvw.exe	43
PID 1632 wrote to memory of 1412	1632	mscorsvw.exe	43
PID 1632 wrote to memory of 1412	1632	mscorsvw.exe	43
PID 1632 wrote to memory of 1608	1632	mscorsvw.exe	46
PID 1632 wrote to memory of 1608	1632	mscorsvw.exe	46
PID 1632 wrote to memory of 1608	1632	mscorsvw.exe	46
PID 2180 wrote to memory of 2856	2180	mscorsvw.exe	47
PID 2180 wrote to memory of 2856	2180	mscorsvw.exe	47
PID 2180 wrote to memory of 2856	2180	mscorsvw.exe	47
PID 2180 wrote to memory of 2856	2180	mscorsvw.exe	47
PID 2180 wrote to memory of 2416	2180	mscorsvw.exe	48
PID 2180 wrote to memory of 2416	2180	mscorsvw.exe	48
PID 2180 wrote to memory of 2416	2180	mscorsvw.exe	48
PID 2180 wrote to memory of 2416	2180	mscorsvw.exe	48
PID 2180 wrote to memory of 2476	2180	mscorsvw.exe	49
PID 2180 wrote to memory of 2476	2180	mscorsvw.exe	49
PID 2180 wrote to memory of 2476	2180	mscorsvw.exe	49
PID 2180 wrote to memory of 2476	2180	mscorsvw.exe	49
PID 2180 wrote to memory of 1068	2180	mscorsvw.exe	50
PID 2180 wrote to memory of 1068	2180	mscorsvw.exe	50
PID 2180 wrote to memory of 1068	2180	mscorsvw.exe	50
PID 2180 wrote to memory of 1068	2180	mscorsvw.exe	50
PID 2180 wrote to memory of 2668	2180	mscorsvw.exe	51
PID 2180 wrote to memory of 2668	2180	mscorsvw.exe	51
PID 2180 wrote to memory of 2668	2180	mscorsvw.exe	51
PID 2180 wrote to memory of 2668	2180	mscorsvw.exe	51
PID 2180 wrote to memory of 2844	2180	mscorsvw.exe	52
PID 2180 wrote to memory of 2844	2180	mscorsvw.exe	52
PID 2180 wrote to memory of 2844	2180	mscorsvw.exe	52
PID 2180 wrote to memory of 2844	2180	mscorsvw.exe	52
PID 2180 wrote to memory of 2944	2180	mscorsvw.exe	53
PID 2180 wrote to memory of 2944	2180	mscorsvw.exe	53
PID 2180 wrote to memory of 2944	2180	mscorsvw.exe	53
PID 2180 wrote to memory of 2944	2180	mscorsvw.exe	53
PID 2180 wrote to memory of 2240	2180	mscorsvw.exe	54
PID 2180 wrote to memory of 2240	2180	mscorsvw.exe	54
PID 2180 wrote to memory of 2240	2180	mscorsvw.exe	54
PID 2180 wrote to memory of 2240	2180	mscorsvw.exe	54
PID 2180 wrote to memory of 2260	2180	mscorsvw.exe	55
PID 2180 wrote to memory of 2260	2180	mscorsvw.exe	55
PID 2180 wrote to memory of 2260	2180	mscorsvw.exe	55
PID 2180 wrote to memory of 2260	2180	mscorsvw.exe	55
PID 2180 wrote to memory of 2360	2180	mscorsvw.exe	56
PID 2180 wrote to memory of 2360	2180	mscorsvw.exe	56
PID 2180 wrote to memory of 2360	2180	mscorsvw.exe	56
PID 2180 wrote to memory of 2360	2180	mscorsvw.exe	56
PID 2180 wrote to memory of 1624	2180	mscorsvw.exe	57
PID 2180 wrote to memory of 1624	2180	mscorsvw.exe	57
PID 2180 wrote to memory of 1624	2180	mscorsvw.exe	57
PID 2180 wrote to memory of 1624	2180	mscorsvw.exe	57
PID 2180 wrote to memory of 2032	2180	mscorsvw.exe	58
PID 2180 wrote to memory of 2032	2180	mscorsvw.exe	58
PID 2180 wrote to memory of 2032	2180	mscorsvw.exe	58
PID 2180 wrote to memory of 2032	2180	mscorsvw.exe	58
PID 2180 wrote to memory of 3016	2180	mscorsvw.exe	59
PID 2180 wrote to memory of 3016	2180	mscorsvw.exe	59
PID 2180 wrote to memory of 3016	2180	mscorsvw.exe	59
PID 2180 wrote to memory of 3016	2180	mscorsvw.exe	59
PID 2180 wrote to memory of 1752	2180	mscorsvw.exe	60
PID 2180 wrote to memory of 1752	2180	mscorsvw.exe	60
PID 2180 wrote to memory of 1752	2180	mscorsvw.exe	60
PID 2180 wrote to memory of 1752	2180	mscorsvw.exe	60
PID 2180 wrote to memory of 2708	2180	mscorsvw.exe	61
PID 2180 wrote to memory of 2708	2180	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe
"C:\Users\Admin\AppData\Local\Temp\260f1ea9fab2a1ce2a2c90ba39990a5e73afff211f0d1f4076fb052e3da39a7b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 258 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 260 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 268 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 23c -NGENProcess 1d4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 274 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 28c -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 27c -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 1a4 -NGENProcess 180 -Pipe 19c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 200 -NGENProcess 1ec -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 208 -NGENProcess 1f0 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1a4 -NGENProcess 20c -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 1f4 -NGENProcess 210 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 210 -NGENProcess 1f0 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1a4 -NGENProcess 21c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1f4 -NGENProcess 220 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 1f4 -NGENProcess 1ec -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 158 -InterruptEvent 14c -NGENProcess 228 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 14c -NGENProcess 158 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 224 -NGENProcess 230 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 234 -NGENProcess 158 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 210 -NGENProcess 238 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 220 -NGENProcess 23c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 23c -NGENProcess 158 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 234 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f4 -NGENProcess 234 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 220 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 248 -NGENProcess 250 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 24c -Pipe 158 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 234 -NGENProcess 22c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 14c -NGENProcess 254 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 254 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 22c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 14c -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 25c -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 270 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 22c -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 270 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 274 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent a0 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 29c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent a0 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 9c -NGENProcess 2a0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 9c -InterruptEvent 2a8 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 29c -NGENProcess 2ac -Pipe 9c -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b0 -NGENProcess 2a4 -Pipe a0 -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 25c -NGENProcess 234 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 2b8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 29c -NGENProcess 2a8 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c4 -NGENProcess 2a8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a0 -NGENProcess 2c8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 2c8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2b8 -NGENProcess 2d0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d0 -NGENProcess 144 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2bc -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b8 -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 25c -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2e4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2dc -NGENProcess 2e8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 144 -InterruptEvent 2dc -NGENProcess 2a0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 27c -NGENProcess 2f0 -Pipe 144 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:108

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1172

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:788

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:396

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2732

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2648

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1576

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
4fad7b12c6f0e5762d0e8bedadda27ab

SHA1
f943592a036452b1a801bf3187063eb9354a0da5

SHA256
7e7a9847292baaa2a8d9fc99cb4310b7b887b0836b3359a48c351b5de766afaf

SHA512
a9de5f37dc7e6b8dd22a31a6d99ffeac010df71f14ca99fec8e3ac7fc572a4303981a5d2a86b4cf0f60991df6cc1af60e4908a05060fabb7a1f11b3d6e118a09

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
64f383d05b43eefda00db17555d67620

SHA1
0d35f7d9b94cca3a62990d8f5ec9c6daf041f7aa

SHA256
74d42b651dbeb686fea5c7ea78401ff8c5f0b1588485d39b94e6564df3f83cd0

SHA512
777448f1461b5b95f4435b769c7d2393a9235b0f26d68006a0f7bf5e6d171439054940cdfc3a40ab8ac9fd225d9a626d09b93f2520c1424f9f0b7989f398b727

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
e95b6c91dfefd82df619603f639ab8db

SHA1
917f6bf0348d89c15823a7e29cb7550af6937700

SHA256
b8a5c388d365d7a38996eb8f378c2c51d896ea4c2d37dfe1b80d18ab22c4c80b

SHA512
52d7b340eb607acd7f0f14716952ea53044c111a4ce2a3309d4d5b8f0c12afbd188dd7bea61a6c29614e174c560046f16d0e964aa9d27ff5ff702cd97ef47b22

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
64a114a361c91c1654f3d05c94335ab8

SHA1
b688c78d0c7c536aa4b3abf0f214c7133cdaaa25

SHA256
8547ac03ef5cbbc27c58ddfc6499371e997a3f0d84151df327f2f27d8f786c5d

SHA512
aa987c94db4c1014769fe69e85aff03a2ee3776d74295c81e0f9795060058024d27a04d58f4e9fa2d3b41337dc0b77a858a591628d7c8af1a767e95a6382c843

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
a450d1863ad14b98a0681ab3f8dcf2e2

SHA1
ee0c53de30ae1ade5cfe86fd7991f96f81549e94

SHA256
ea684746257111e40bc79e3b01396a755c37aac737fcc62e3be0e54ca6f3050a

SHA512
c03c9b2d251d7400d3b3de90509c78431ce7ed2dcfea737611e3ca1f0ddbcfffa5553792f31ee1850088ac4eb3c331aa9a68de3402a968a0e1d6a07a0bbbe87e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
4.4MB

MD5
8479f9e5115b6fc65da02830760082c7

SHA1
10bd68c24d0ba83251997995881fcbe147e9164d

SHA256
a5fddc0597c0b175613dde15a72abdf665236a66a54cdad594bd63cdc1e0c465

SHA512
94ae014efc57440eb6d1d4630c4894a838b524e13195d176d30e69b1723e6a5b71d9c34d0bf9ba23ad323170707922a222262eaa1b9938c19945ed4b9befdb33

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
704KB

MD5
345dfd42044874b6d68db86fd6b39bb1

SHA1
1a900e8185ccd243cf21e7b2a4fd464303add983

SHA256
7598211beed6f6e539f8609e51913e5a5040f0770d99b164f80371dd7f8f3199

SHA512
4f0d12bf0b3bda5cb29514c40cf9cb7bf21f079c0da268e4d071324e74ee27f269b11e5c0eda2817257a616f116c98ff507990986243090c2901deb19572aba1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
15c466d4cc99383d0e881ee4d3a9a9a1

SHA1
7e4d15fdce9af049a28ddee67c6d1ee0cbba27bf

SHA256
0bf5cb36fffbb52b477ba2aa43db2cae5f85fb248e3221ba1d42198d969be7ee

SHA512
72f9e6e99fde5950ae78a152b772d3c1372925121aac76eb7c76212b2a0c57d6cf6457797c8791f6dc7a5cb30d292d0024753f8bb9f8272ab12b38f778bde683

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5d46d9a9c5cacbcd164aff3b680112ed

SHA1
4f5df7deac89fe5785bd10890d9ee34bb6361993

SHA256
41a8e69856538a263799145ee4573e1f764a247ac58ef85ffae6e30ef9721ccb

SHA512
286088c92af532349f9b7b06f38440e56a4e7d0614985ae1cfb375720757144d28da421c764ed974452009a9c56114d3709c0e3a61af5af42f58792094223379

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8153e8d8a36e6425148aed2559ad878f

SHA1
7636e8ff7950e9d00b9e261423fe56f4c70f1b75

SHA256
ccd90d6ae17ebf6a778ebbebaf19a7e85f1d535d2088d61b9a84052fd12ff257

SHA512
7f60ee40398f39c82d5f323f6b37d5b129fed0eee73bf3b7f4cb37b1ce4c344341310157879a16704f944f6eeee9e58a1cc7a92bee5aff04af17384852605efd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f0892c821b21db9cd883a10706463b92

SHA1
32ec02234945175b997359c905ecbeeb2e21c1db

SHA256
9771f88b2b5b766e24dfe3bfa8d103a12cb96d4a9ebc8f72719588a202775248

SHA512
e3e52cc0cd2f96526ee65ccf430b760b88d514c8c59664fe953c97e7776949697a250acc20f513fa33b3defbd3ed2082d65f121dc5170f82078b069399dfdffa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
808d53dafa0fb83c21b17a8b02b2c2c6

SHA1
f371544bba104bfc24a12b1e5b60bcd52024c23b

SHA256
1a69bf012eaf186920041547cd022c96c766a5f33ebe68e783c3c18aced5a9ff

SHA512
3493dc61934dfe91e81ce64dba99beeeb5f56704d47d8e33527189d93f1d1b641c1b43aef96d0caaa93270110a57c3a335ac737d91760620c34f8be60a9f1281

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
4.8MB

MD5
4cddf54d00c316cee34d6816fd1f7589

SHA1
7dc808d247530dc56d1e14efaa7ec29ba8e95cf4

SHA256
ebb8336677a6cb840b1a63251f5fc33b023e5be99710a39b8ea7ec44045863af

SHA512
51636ff315e3df46d2ae8f98fb92f983a0114e909534964771a537dedb7076da79aec9221de477f8505c1ac4dbf4ec18a0ae73a91c81192a30e4eb7b006f0a10

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9b5750daae62145a0a00ff87ad226d71

SHA1
d9fd642821e0ef8341281f8d878ca0d8b5317a85

SHA256
896a6b3c8e776eb51e176b0d2e6cdaf0b925f631cb45ca6aab6378bf72cfc0c6

SHA512
6098e9a2a8c83a83728a0479528ae81c9fcb10e59f0a80dc519c2a8141ecb1d0d887c9ea333619d1116a54ff07b5f5d5773f2246c8e65023cd8e6b27c1209d2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
ed9784f7a918c0d56ab2eac7da3ccf1c

SHA1
5ca447bcbef741a3d55f7dea89736b79ddcacf3e

SHA256
548924d2d938be27e5cc03045cb399eafc0f49e337307c141bfd7c9a0e5f4b35

SHA512
13110ea98e7e456e3311aca1bada86eeae714902a0ba8ce3ad6f8b91798d16b67a030ae5dbfc1144890b4874abbe9d5218e35f533b677570396496627f84047b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
e3bed17e9e6f1ed0ff9f03ca290d3cee

SHA1
43a2af94e0d14fefc5f206242c2f250670f36b6c

SHA256
0e8317d306d7e2bfd618e939bccd5710e07475e85d1bbf97410fb3c19ad17acf

SHA512
5d61d3ba85adf448fcfcb5b64a288eaffaf56d2b244d13e4a80aabe7c1813f04ee9757e59ac95b657004736441c9d1807f0e25d1eedb8c36e82e949fbc1ebc83

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
796e90c56032fe3ab5c567ab2c7c2391

SHA1
49d0fae70d37e59855c7cbc306d7cca4c07f551b

SHA256
6ab5898f522deadc57135c145d8ebcbc0e5dd00aed4a909000f52c80160ba859

SHA512
b178bbe554a38de1bde4c757eebced35779e9c8f780e6138dfaf79a7d49e2cf4e4def89df808ef9c8ecbc53b82937ef61556d542afc3b6a127b6d7f2d8488f2c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
7177698e8c903d425307e6659e449630

SHA1
f7a5c1ff563160a83faeda780e4612a021dbf5c8

SHA256
92d97bea3d2db68f38692aa3972d777ccd9060e4d2e8062eb4bb2fd58c789139

SHA512
25c20c14749dbdc9aa4e545b6678b9e666407420f3d8672f555d5fbbb4883f72b97d336a4db8069d79c06bccd1dec7d4880ceb08d70f7ea9a09985740968a420

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5f50c850cf98aa656b6bcca009bef214

SHA1
3b07d57b55854bfc70ccc793f4a7c2f692276175

SHA256
dd7b0b0e3cc1cde26749acdf02cf09e193b8f8ab6b7787e86b2264739fc4bcaa

SHA512
f94f5db809ded14891ebf6f645ad49a87885a6c36a5e4a81bbcc90122281f7d0acce4e242cb954b74d587695f474b219c9778232df20bd6568c58e47bf664061

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
3b29b1b9c4089ebe9abb93b7531a728e

SHA1
13197f845dd83c1e773ee167bcac13b621993820

SHA256
0c6171faebd29416f1ae1820abc4e1526c2c7ce035c3c79f49b716c41ca1f227

SHA512
759050a11724a545746e550adbe67bf6147da737b33dde3ab953aea9fa49fe8c1ecf33c2c666949b835001053bf9ccbcdd097b6e8e20cd8b50b586ff33d1d20a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\09a18f4edce00f0376ac8883d7bbcb82\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
28265d666fc9c9bf09ce665d9f820317

SHA1
61210fd7f9c0bc9796dd4df193a1e893d05c784f

SHA256
eb5739bb192a21451d197d4e5406b2eb5d1428a0e9220f6666667fadf7bc3457

SHA512
01ca86728192531e6663e77b74afe7e1712be18879b93b143fd257e0e6b0f5e2e0885ca0c907841ec73d9cf45f9133967e51c513a7938d9985a736bf531ab2f0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\24b762b9e31bc64904f469be6d4a6031\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
f662e53183dbf75da82614a4bcc0bc57

SHA1
3db2c241755778c9bf5c76ca1808f768137a23b5

SHA256
c89c9061a428a3438d8af3bc7a30474dee1c01eef436f1450eab3098907a1f3d

SHA512
04b275ce3eca8edf9e8c0d1675d3f9c8b5ebbed34db891a3475f36ed960e0d87046e483ee6d289065ed2ac509add0456c8d9060923ce39b8f24f72b2c6f00ae0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\57a5ce2c26f855a66aa908527280a1de\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
f31465c3743eba298bab25eb61de636b

SHA1
7efa1a69095b42c3a1082348958d6adf1e98e1de

SHA256
2e0c50203c79bfe607eef6d2947d730f3e0c10ae73f5baff1ec93ce9aa799362

SHA512
9cdfa2e737a0cff74e58bf12bdc5863cc7f6717b945247be64174b484f79717ae908a6e092365dde1fb217f046f94b5c1db034155fe10098867992250466b3e3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ec9aaa7c8889f20902aea3b907c6f131\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
85e3e992fa470b74ace11d3cc4489f25

SHA1
eb25964bd51b4dabd3df092c4015b6d266cd72af

SHA256
05fee0e1543aef5b5a2a367073709dbcdb0b590a4c04f67fa4401757cf0b0cda

SHA512
7e878ef1a1a505ce431f9a7422511114e0dcee7a932691b5e4decc75e3ab70d43d84e7a9999e719d2eb5fa1ac20fbb5ea638310d6a669364b8804d76d7ce4244

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
c24ac9db9fa7b361abe2edaf64ea0450

SHA1
c94e8c6b3292ef6bcb05081bde1be528628366b2

SHA256
f98d91a061fc0ff3b273c378c5fd0a277a1ba59880b2b471738f6a11a534d5e8

SHA512
6482fa7d3d632fce397db977461aac5d7f66df5b189f3134474b957ac99af627ddafa179150bf66495b6073155869d47f22d16d2a2f84dfd564b330bd20e6a78

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
128KB

MD5
5f2571e13c5140b0a361335249fa0252

SHA1
5aec1c60a0cb1b8d4b7d80ec3eaa0fa65a9ff0e9

SHA256
fa936daf5d2f61dd36f4433d32581c1df49cb1122ec4441c3b81d13ce62e91da

SHA512
33c4df9cdadae423971061469fa46c2ccf3a9dee603667636285c55ce574a074df8d70d927e8724f5ddb55a21380e3d585444e14dc06abb93f9fc3a8917b46fb

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
509f83023a84674c5bc6a7055f3fafb8

SHA1
f57706aa403c70c059fab7bc103420ba7ad49235

SHA256
b1e9f37cc4bfd27de4acf61436ae71fbf2d2588c3b16100cda3256aacc596e6f

SHA512
b05917df3b4c94794fa644624f45faef7f2636ba519a5fffcf349341680b841a04fe8fdda2f992f875d3472d47b68db39c3f1171520f5d0071ec521ba0cf5651

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
cc5fc112ee6be612fc328a822fad6e11

SHA1
4ad6c4edc3d98774ca0a225c45b2956e23b54eae

SHA256
fb9e0ef71d49ac3e8da834926c28b4837ce6d855d20a06d12c3a8bd0b10c3b6d

SHA512
59830f4c45b9b25a3be9e5a533a4c743e31e83bdd2938b927b432371cabeda87402af9acd2d2d95aaf22c88a576499b6b905a0c79ec28a80717a0464a722490b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
bd49255a86c1ca5b8b29120dc2ea6b77

SHA1
8e6a6ae988610cc155e92c96f1d6139158737e23

SHA256
d9004d3392d9ff93d0d7367608d50b48cc3f105dd6fd8af41957e865e0655bb2

SHA512
d033edaaf9b4484df48a0874307a5305f291862bce4bbe3f39945748933694b0f13a13b18a5be92b078c8685f6f4edb43916888cca1a311610681bcbe730a3fc

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
5c5cd3c750c630d710000e109a3a5ffd

SHA1
ba14b9322f3a6912293d731e96a14bb549342f2d

SHA256
45f4acab2d3db8793444af939960020614c0b2da998d821c2f90b0f3a42a615d

SHA512
16b075625eda5eed2c0d515680dfb8abf4f72550affca42d4b3d39f23eae0a3b300e542a4454f0af547a5db2b2f9a6d44cc0c51b7bdd5ed4070ab738662e4732

Download Submit
\Windows\System32\dllhost.exe

Filesize
128KB

MD5
fe25f0c36cea9cf3e799f2aa991f66a4

SHA1
94c6b7f30164ab9d12af8bcd6c3b522627b21f38

SHA256
f545b9d663498e2c43192b566053a1914b7fbedb287a6be5ae920d96ac9cee4d

SHA512
c632b1485a22a895b46a3c9c415da0a115b1bf3c0cd0f04c312c93687c653feb9312917af4a0726121bbddb55d33e86227ed9c70581911671526b301d83bf59b

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
d3527b0176c7ba643c9412389780447a

SHA1
90690abf9a871619e4bd09ab06f3b07a28b5aec5

SHA256
8acd14e131ddc6f64da4556c5d91c694fce9f1f92836c34dc1d54e2a4802dc22

SHA512
d430b1808483e3fdc32078c92e364af7d11b70d02977c520b0000c486714b22bbb46432f75d5af38be15950d9dfdaaba59632d31a2f94a02a6e70991ecdf9f1b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
486KB

MD5
4e3f935e7c015d87cdcd80829c846f85

SHA1
2ce0f8aeaebd8bf10c355bf1e9793d7e16c70dc8

SHA256
98ecda8e8f83d270763af05f0e7d88654af4b28d05408e55ec5d02e05a37d72b

SHA512
48157c442d7a967d8a1749b4868dadc5576fcbe244678a7d67f53e84d003e77ea88fbffec557994fab83afb72ee96955f61af40e43e7da78635df35e7aec000e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
86bcf9d86b714effb51c424ce1757588

SHA1
a44ee3095570308a7a4949628e78a24136b2ec81

SHA256
f818c04d9f64bb701da2ede1f18c43ad8bd33bef2a3e72dec43d153760a59778

SHA512
edacdfce35a6bd8423b6a075cd84e87f75df1e306fee5a02fb97dc5837a3b11e24a835ab0df77b74ebe1b54fd6a590f14b88c863d32aa344fc799f6a8d13b5f9

Download Submit
memory/396-319-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/396-186-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/396-181-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/396-179-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/748-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/748-142-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/912-201-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/912-203-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/912-191-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/912-331-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/984-193-0x000007FEF4520000-0x000007FEF4EBD000-memory.dmp

Filesize
9.6MB

Download
memory/984-369-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/984-303-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/984-371-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/984-198-0x000007FEF4520000-0x000007FEF4EBD000-memory.dmp

Filesize
9.6MB

Download
memory/984-330-0x000007FEF4520000-0x000007FEF4EBD000-memory.dmp

Filesize
9.6MB

Download
memory/984-327-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/984-195-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/984-322-0x000007FEF4520000-0x000007FEF4EBD000-memory.dmp

Filesize
9.6MB

Download
memory/1172-312-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1172-176-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1172-149-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1172-150-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1172-156-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1172-288-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1172-177-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1172-174-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1412-367-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1412-336-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1412-347-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1412-402-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1412-401-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1412-403-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1576-476-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1576-335-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1608-451-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1608-404-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1608-450-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1608-449-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1608-387-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1608-396-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1632-140-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1740-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1740-1-0x0000000001E70000-0x0000000001ED7000-memory.dmp

Filesize
412KB

Download
memory/1740-6-0x0000000001E70000-0x0000000001ED7000-memory.dmp

Filesize
412KB

Download
memory/1740-139-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1740-278-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1864-372-0x0000000074078000-0x000000007408D000-memory.dmp

Filesize
84KB

Download
memory/1864-368-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1864-342-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1864-383-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2088-133-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2088-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2088-103-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/2088-98-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/2172-15-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2172-29-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2172-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2172-30-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2172-16-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2180-199-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2180-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2180-121-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2180-126-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2444-163-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2444-164-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2444-170-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2444-301-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2648-300-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2648-305-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2648-354-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2660-67-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2660-171-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2732-281-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2732-351-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2732-345-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2732-289-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/3024-323-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/3024-361-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3024-362-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/3024-314-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download