030d3edbdf2d8f3e4501d3b335e38d230bfe3f77fc084b5a04c46bd2c642db89

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe
Size

727KB
MD5

f0987a0168fdac786f0df74f88750672
SHA1

511d956842aba8bbe8f8ba29ba5c2fd55f1b0bcf
SHA256

030d3edbdf2d8f3e4501d3b335e38d230bfe3f77fc084b5a04c46bd2c642db89
SHA512

c64b3c41af67a4744bceaddd4162894e980c5e46236e0e5470b97c778f56163b3ecd116de2185ccd15282c3dde3d531fb8bc5d7b8fc9789c7fb4c286017128fa
SSDEEP

12288:vKVGgMbKPlalt+Jn07XRSfVB6e6h5z6pEDDr3zdypAbfdXDVyHU3UeW60:vKVGg9Elto07hSdBzYCgDrDdSUftDVUp

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2140	alg.exe
2700	aspnet_state.exe
2272	mscorsvw.exe
2464	mscorsvw.exe
1908	elevation_service.exe
1436	GROOVE.EXE
772	maintenanceservice.exe
2824	OSE.EXE
2312	OSPPSVC.EXE
2144	mscorsvw.exe
2664	mscorsvw.exe
2968	mscorsvw.exe
1572	mscorsvw.exe
1648	mscorsvw.exe
336	mscorsvw.exe
2036	mscorsvw.exe
1480	mscorsvw.exe
2504	mscorsvw.exe
2836	mscorsvw.exe
1600	mscorsvw.exe
2540	mscorsvw.exe
2656	mscorsvw.exe
2684	mscorsvw.exe
1308	mscorsvw.exe
488	mscorsvw.exe
1128	mscorsvw.exe
1828	mscorsvw.exe
984	mscorsvw.exe
2128	mscorsvw.exe
2400	mscorsvw.exe
1944	mscorsvw.exe
2144	mscorsvw.exe
2520	mscorsvw.exe
2764	mscorsvw.exe
2988	mscorsvw.exe
984	mscorsvw.exe
3004	mscorsvw.exe
2596	mscorsvw.exe
3040	mscorsvw.exe
2804	mscorsvw.exe
2972	mscorsvw.exe
3048	mscorsvw.exe
2360	mscorsvw.exe
2904	mscorsvw.exe
2176	mscorsvw.exe
3056	mscorsvw.exe
2680	mscorsvw.exe
1760	mscorsvw.exe
1964	mscorsvw.exe
1060	mscorsvw.exe
700	mscorsvw.exe
1316	mscorsvw.exe
2504	mscorsvw.exe
2904	mscorsvw.exe
2620	mscorsvw.exe
1396	mscorsvw.exe
1192	mscorsvw.exe
2052	mscorsvw.exe
2932	mscorsvw.exe
2260	mscorsvw.exe
1012	mscorsvw.exe
2104	mscorsvw.exe
2916	mscorsvw.exe

Loads dropped DLL 41 IoCs

pid	Process
480	Process not Found
3040	mscorsvw.exe
3040	mscorsvw.exe
2972	mscorsvw.exe
2972	mscorsvw.exe
2360	mscorsvw.exe
2360	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
2680	mscorsvw.exe
2680	mscorsvw.exe
1964	mscorsvw.exe
1964	mscorsvw.exe
700	mscorsvw.exe
700	mscorsvw.exe
2504	mscorsvw.exe
2504	mscorsvw.exe
2620	mscorsvw.exe
2620	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
2932	mscorsvw.exe
2932	mscorsvw.exe
1012	mscorsvw.exe
1012	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
2276	mscorsvw.exe
2276	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
1172	mscorsvw.exe
1172	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
876	mscorsvw.exe
876	mscorsvw.exe
1888	mscorsvw.exe
1888	mscorsvw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3052	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b8d0d4ce56fe8faa.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8037.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7964.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe
Token: SeLoadDriverPrivilege	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeDebugPrivilege	2140	alg.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeDebugPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3052	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe	29
PID 2060 wrote to memory of 3052	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe	29
PID 2060 wrote to memory of 3052	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe	29
PID 2060 wrote to memory of 3052	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe	29
PID 2060 wrote to memory of 2592	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe	32
PID 2060 wrote to memory of 2592	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe	32
PID 2060 wrote to memory of 2592	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe	32
PID 2060 wrote to memory of 2592	2060	2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe	32
PID 2464 wrote to memory of 2144	2464	mscorsvw.exe	42
PID 2464 wrote to memory of 2144	2464	mscorsvw.exe	42
PID 2464 wrote to memory of 2144	2464	mscorsvw.exe	42
PID 2464 wrote to memory of 2664	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 2664	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 2664	2464	mscorsvw.exe	43
PID 2272 wrote to memory of 2968	2272	mscorsvw.exe	44
PID 2272 wrote to memory of 2968	2272	mscorsvw.exe	44
PID 2272 wrote to memory of 2968	2272	mscorsvw.exe	44
PID 2272 wrote to memory of 2968	2272	mscorsvw.exe	44
PID 2272 wrote to memory of 1572	2272	mscorsvw.exe	45
PID 2272 wrote to memory of 1572	2272	mscorsvw.exe	45
PID 2272 wrote to memory of 1572	2272	mscorsvw.exe	45
PID 2272 wrote to memory of 1572	2272	mscorsvw.exe	45
PID 2272 wrote to memory of 1648	2272	mscorsvw.exe	46
PID 2272 wrote to memory of 1648	2272	mscorsvw.exe	46
PID 2272 wrote to memory of 1648	2272	mscorsvw.exe	46
PID 2272 wrote to memory of 1648	2272	mscorsvw.exe	46
PID 2272 wrote to memory of 336	2272	mscorsvw.exe	47
PID 2272 wrote to memory of 336	2272	mscorsvw.exe	47
PID 2272 wrote to memory of 336	2272	mscorsvw.exe	47
PID 2272 wrote to memory of 336	2272	mscorsvw.exe	47
PID 2272 wrote to memory of 2036	2272	mscorsvw.exe	48
PID 2272 wrote to memory of 2036	2272	mscorsvw.exe	48
PID 2272 wrote to memory of 2036	2272	mscorsvw.exe	48
PID 2272 wrote to memory of 2036	2272	mscorsvw.exe	48
PID 2272 wrote to memory of 1480	2272	mscorsvw.exe	49
PID 2272 wrote to memory of 1480	2272	mscorsvw.exe	49
PID 2272 wrote to memory of 1480	2272	mscorsvw.exe	49
PID 2272 wrote to memory of 1480	2272	mscorsvw.exe	49
PID 2272 wrote to memory of 2504	2272	mscorsvw.exe	50
PID 2272 wrote to memory of 2504	2272	mscorsvw.exe	50
PID 2272 wrote to memory of 2504	2272	mscorsvw.exe	50
PID 2272 wrote to memory of 2504	2272	mscorsvw.exe	50
PID 2272 wrote to memory of 2836	2272	mscorsvw.exe	51
PID 2272 wrote to memory of 2836	2272	mscorsvw.exe	51
PID 2272 wrote to memory of 2836	2272	mscorsvw.exe	51
PID 2272 wrote to memory of 2836	2272	mscorsvw.exe	51
PID 2272 wrote to memory of 1600	2272	mscorsvw.exe	52
PID 2272 wrote to memory of 1600	2272	mscorsvw.exe	52
PID 2272 wrote to memory of 1600	2272	mscorsvw.exe	52
PID 2272 wrote to memory of 1600	2272	mscorsvw.exe	52
PID 2272 wrote to memory of 2540	2272	mscorsvw.exe	53
PID 2272 wrote to memory of 2540	2272	mscorsvw.exe	53
PID 2272 wrote to memory of 2540	2272	mscorsvw.exe	53
PID 2272 wrote to memory of 2540	2272	mscorsvw.exe	53
PID 2272 wrote to memory of 2656	2272	mscorsvw.exe	54
PID 2272 wrote to memory of 2656	2272	mscorsvw.exe	54
PID 2272 wrote to memory of 2656	2272	mscorsvw.exe	54
PID 2272 wrote to memory of 2656	2272	mscorsvw.exe	54
PID 2272 wrote to memory of 2684	2272	mscorsvw.exe	55
PID 2272 wrote to memory of 2684	2272	mscorsvw.exe	55
PID 2272 wrote to memory of 2684	2272	mscorsvw.exe	55
PID 2272 wrote to memory of 2684	2272	mscorsvw.exe	55
PID 2272 wrote to memory of 1308	2272	mscorsvw.exe	56
PID 2272 wrote to memory of 1308	2272	mscorsvw.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_f0987a0168fdac786f0df74f88750672_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\takeown.exe
  takeown /F C:\Windows\System32\DriverStore\FileRepository\ /A
  2⤵
  - Modifies file permissions
  PID:3052
- C:\Windows\SysWOW64\cacls.exe
  cacls C:\Windows\System32\DriverStore\FileRepository*.* /E /G Everyone:F
  2⤵
  PID:2592

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 250 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 1e4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 23c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 264 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 1e4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 24c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 264 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 264 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 23c -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 21c -NGENProcess 218 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 24c -NGENProcess 1bc -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1c4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 230 -NGENProcess 240 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 25c -NGENProcess 20c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 20c -NGENProcess 254 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 21c -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 25c -NGENProcess 260 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 274 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 260 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 27c -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 20c -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 284 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 20c -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 210 -NGENProcess 294 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 294 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 20c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 20c -NGENProcess 210 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 280 -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 2a8 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 210 -NGENProcess 2ac -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a0 -NGENProcess 2b4 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 280 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c0 -NGENProcess 2b4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b4 -NGENProcess 2a0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 24c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c8 -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2ac -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2bc -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d4 -NGENProcess 2ac -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a0 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d8 -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 280 -NGENProcess 2ac -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2e0 -NGENProcess 2a0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e8 -NGENProcess 2b8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 280 -NGENProcess 2ec -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 2f0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b8 -NGENProcess 2f4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 300 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 304 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2f0 -NGENProcess 308 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2d0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f0 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 308 -NGENProcess 31c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d0 -NGENProcess 2a0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 320 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 324 -NGENProcess 2a0 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 318 -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 320 -NGENProcess 330 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 320 -NGENProcess 330 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 308 -NGENProcess 388 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 37c -NGENProcess 384 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 378 -NGENProcess 3a0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 398 -NGENProcess 3a4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 390 -NGENProcess 3a0 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 380 -NGENProcess 3ac -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 378 -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 3a0 -NGENProcess 3b4 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b0 -NGENProcess 3bc -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3b4 -NGENProcess 3c0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3b8 -NGENProcess 3c4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 384 -NGENProcess 3c4 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3cc -NGENProcess 3c8 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3c0 -NGENProcess 3d0 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b4 -NGENProcess 3dc -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3e0 -NGENProcess 3d0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3d8 -NGENProcess 3e4 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3e8 -NGENProcess 3d0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3bc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3d8 -NGENProcess 3f0 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3e4 -NGENProcess 3f4 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3bc -NGENProcess 3f8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1908

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:772

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2824

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
387db22fa3c0e17af21dce0596821fe8

SHA1
6cbe92c06f74f8806d91b730680aab7334f4b40e

SHA256
253190b5145721f94cc234bb48a8c1164e9e73d7467f2518eae4595dc5d4ca90

SHA512
897af70fe5f43b26fe6da922d070f912c6cec4f94e207b088f08960a642c982a70291fbe4b15e3113748d2cc3aa9ed1de8e8ea400d25ba1f8d4bf41282e2784c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
405f6fe77a7a1a4c04aa88eb6f2229e4

SHA1
da037322b7ae84d8ca2b0dfdaa54dbc8622cc653

SHA256
f2b0ad0c6047bf2ad0ce3379f9dba8082fbb60b0cdeed8691f78e566c4c464d0

SHA512
3d37bd56dc962a7e35268e7eb0e4311ee6b9c17dce78117f077f97cffc590db65f9773fc7c1c3140a9ba8fa24f2b7a0ced3acbaa6824383d54f9eec4c4c0ba75

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
3870b22e564ca61ab559fb37b8e3c4e4

SHA1
522550784f7bdb07b45a37cb61980465cfce721e

SHA256
5d115987a7ce5a8e8144ea10ec4fba729589f5f49411ae5c85aad8c14d9a5a42

SHA512
c710cd806d5bda23ec923f2f16e5bdf92c94ceacab730e1607e2571e22c4bc60ca8c3e8d3149ec97d913f6a90a908818de434897966af6e39ce64574580b7717

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
d5fa90f33c7ba2fc5dce591ab4e0b2e3

SHA1
fe3415d439ac87f1cc188e85839aca552986eb3a

SHA256
bbf52bc39e2bc559acb2e23fd4f6ac593d20c9d4125edce6526a11489c8373a7

SHA512
f6cf1dfa308127ce9b5528aee7107a873fda7e98ec95cf52776780c34253fa44bdd18c659618bb3e0b689b6cdb9f4e94387e9687f03aa49bc810fcfb35bbe2bb

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
e06eb120d3728fc648b0a8e164e51ae5

SHA1
ae0d7dece2f2b61b1f258d7a92727c1fb7e0f66a

SHA256
42025a740c9b59a4234c29f1020f6cb2dd8fad6a89303d8a1cb363ff8a9011fa

SHA512
d838cef2ad2a4f00cbaed1e05c44abb58e062e2339393a67163b9b84381e9b68a6415be62668f6861deb0d1150a8199f39d3ec471e0d0e8f0a652a9fce683cf5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
10.4MB

MD5
c72a8d8eeed4c4748cb861016b550379

SHA1
f861e1479dbb65464dfa03d02f7ddc15d7473014

SHA256
92ccc98ab73154413be2483cb7977680632e9b1d5bc40e514205564c5d410991

SHA512
93c03d42d32feef8212734791d0ae6e0d1192e0ed859232d8ea961ab6a067bbe70dbc81ce945ebadb67b4a506a4e9d9220b7f5e47fa0919ad1025afbac0387dc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
4c3c76b63ca205090b015d5bf0426f72

SHA1
741a5f7a673de69870a6ac773941c0c236cdd9e2

SHA256
08d2347cb170d018658bf58f7facf6304488ee2bd7a87bc9fd804c3aa2fc43a0

SHA512
3646c968443d2d90f324ea5b746edf143cde9c3e52eab0d0f8741f9978faaf87c7362778577f408cdc128d3e6930347924cac71638451ee544baaa1fbe81584d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.0MB

MD5
7d13ffeeeb3460846c72fd0dcf670dc2

SHA1
5b220a4bbdbb4e8a4ca379b6f3da9adc1551ddec

SHA256
767013147421639c8bdad313bb0ccefac24ebc7e4b61a1894add4fec006ffc52

SHA512
c7d84b367c0397f9bb4c5f74c607cc5a2a03b8d0cec2e531044658d7f0c1b06ef4b8520ce31f159f1196fe36d6647cda09fd172bc815a7825d8a17d12baf18b2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
ce6ddd4ae262fd546d06b60b10ee2f91

SHA1
20d3da615fa59c53e8c8d2585f3de7b868d67928

SHA256
b440e92ebd6c2f7172ce43fa450f32a643fdc058a40fdcee5f4b611f10060b3b

SHA512
995b02462f7070505bfa1869f2cadb28ee278b2679e759e4c133fbe26bb3ea8dd60ba26ab27e25822052c329eccb3fbe19d39351f605fbfc79bc2b1deae79cc7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
85d6931431fde2e1dd33b7bc23a14f2d

SHA1
28eda47f27ff246d8db4a383deba80e5b0c4ae05

SHA256
646bebf5531ae1dfbad86498dac2477e5b25d7fcafba12a2124398ced24953db

SHA512
97f3bb72cf5aeb7053db8a16fa719fbbd693edc64792bb8ba64baa26e4ab959cbf853748e17ffafc8448c8d999fe38d06527490b996292823a653135dea0fcb5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
583KB

MD5
549e2c5e4786bf2b212ab1c13ae2d557

SHA1
dac46f8827e4e8bd5070c36f2ac4392365be30cc

SHA256
191ea2a796d8d43338dfc9381e145c552e252afcd0bb565d411d284aa36cd715

SHA512
63fecdfc66d321e7c126df147fadde339b12da81c54903aa610bd1ac4872c29f5c12c1b14934a5404d23a2955e4a5150203503ce12242c522d0dfe53058b486d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
3.1MB

MD5
3e7d996652d2fbcc920337c4d07e4abb

SHA1
8121a2083e6c5f39e46277613883b034a2d5bae4

SHA256
3eda37ce6203b2d9b93469b472377dbe99bb9c55f75b04d418a84f43c567aaea

SHA512
f348ddb987494c4320ea9d5c84c094b4effdc44c45493b52eb6ce94412fa8ca07c6a2781574f1bfdc0f3907b801eb541097b5adbc6b203e4ff999d2fa35bfbb7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
137298951ae8be4f95a35d9116f0be75

SHA1
f799adb36a50862deb5efe3b985d2f6a3eb5ca1a

SHA256
980192dd7fcfc7f3ad501fabf75194dec04976eff88e065163621ce4c9bf382e

SHA512
9a2562bb1f646085939961fe2fcff092e92cec81c56df946c147461c94d6967ed38b74b5be9701d6a61eaf6fd8c3613ca78cb854a83257ac3ecda270381af007

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
d9995b958d1701350b01f13f76816ea7

SHA1
080e229d6ab46e453100179d7eb8f4c8d066642f

SHA256
e80367a8ffee61d0d27892b1dc34fff85d0e6fc5c953086214bff0ca487ac09f

SHA512
a6ad9acdca4480a6cbaad34643394b0796eecb50d42af734db1a26a148329810a4bc7d180d289678a7d9b646cd59de4d5f56ac2b6b4a3a07044991c613de01c8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
280fe00b5b334e19706caf1b4b1f7045

SHA1
0979c797b20b1ae479e3f217310f0f75c0dbfd50

SHA256
4bdcffcf5c07e7dc94e4eb1f7c16989e29bd5b2a2d566bd61913eb47ff842c9e

SHA512
c4a9fd3952e1220b47b8aca2029f1d2fd432fcb39c2ef16f790b376726b1b368be9e416e63934c5b214a7908c97d5c4190541bf0a27141db515f899da8aed03c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
80bd4a7e01bbe6ab088282f788ac4386

SHA1
a367652e41ed5bd82feb223e54bf5b55d85a2900

SHA256
d6e7edd9a253fe4eb9cadf2ba640001c0bee8d8ae64365087607eed854d883a7

SHA512
3490e3957a7a26bbf9674d541c0e0726b57e4c22dbd8fcb703ab6d838671a9a7de619b3036baa470637dc01ce18d67986e6c540611329f759f564a31a64cb840

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
2ba8758e2234355133f7e4c02d39a344

SHA1
f0d969c765c70eef633c396996f59f84c9d90010

SHA256
eee9c6c64b2c0b2b051b764f16373e5e252f55c9343a752a4f0852b2b95044ac

SHA512
2e7986bdcf1bb128aa8a7e0a414ed58cbe04895cb4cc072dae9852c484134b12100bf10ec63b3abaa8c0333239059a25140811778caf82c03392951aaa5f1030

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
73f53d825a8758b7109d0087f131634c

SHA1
d1e25eae77d2e6d5ec9c9fb0dd52d6e033892e06

SHA256
369d4e2a90b0fdeca7d1fb50dff75352527f080de2c2c944edfb5f5639065e3a

SHA512
7717b18b3c50aa9db95e23cb7db67e71f62b01734f50c76ffd739813e881207cefe472307c9a7dc45d4c1952a36c96ad51d8475a234f785456f8a73324c579bb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
7730c727b8685348fa178e2b481649a1

SHA1
1b796eabb459661098753d00ec171e23caac835b

SHA256
ec79029b4a6927d840f73597238a690fdd34e3c1193ea64be40b38bb0ea26130

SHA512
7f5588b1109fd7ff207ef76a5b8711fdf3cfbdfb038e0b31eeb14722a25cd765ad150774780560ce7dea0f6423b2f46a0fabffcb39fa28b2ee967284090cb6ee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
1d2dfd16b9511de966724b0d7876b42d

SHA1
45de97f3f9c1fc16ca7f93167402c924b9ae957b

SHA256
cb3e2a5dbcb435657a6b93c0dd1e00fb8a4d61f83bd8055628e5570aa7b65b76

SHA512
ccb43c69a21beb41ba812bac8b3fe27ed1bd553592d2da8d6b571d9b8c932e3b4168ce58f310d4e8ce004abb61f990fa959819a33d8ae1dc6c2009e0e95ddae6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
82d67becfce0dbee7a829b7af6fabfc4

SHA1
49f0534ebb900a63f3a67a89a40474a2292bd9d2

SHA256
e59550be4bb98e5400a700d1a07021a19259b762a786b30ec6642f362d1b3096

SHA512
5babe8a3144be810ad8cd2de22d7236d5c0fa80593841b57c9419c99822660e540f8ad2d782895afe72828827af8b23968f8845e0fe3411bbb38599e8f21cfc1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
b7b4504f4770e0f974a2c6d1876fbe2f

SHA1
fb127457fa3c57eea9f7ddadb96383d24eab1fa8

SHA256
d8717818356e91fa5c09652b26a34037216605a26ccb4d97a539d1333d563314

SHA512
986d0973d6acd20c43d0d8a966db2e856d95bd8eb72e3474720eae0a982ce3b94ab2e18cbd1c18cb507ecf2e69db3c9f77e6c4863846c38fded8864dde989662

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
57dc4399271f4725dad1ee026a8d6637

SHA1
d43f40b49adf57040ae5a362f32127db9d2f0edd

SHA256
26815b0ab21f83ce0614e99a1241896f711a90cfb9b8cc193e9a07fdc8024f14

SHA512
bd4aefbd0de841eb72dda59a0097a078ebf22bed01f8c7ed356bd2a2e899274973b60708ad09dbc394d0c7e9c712a81584443b217de0edbad9c5e11cf503187b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
c0d073b30cb1699b706c36c290681994

SHA1
da1b81c52258031bbb2b5192ccd563b0af2e220c

SHA256
7020b9e4e6c99e8c72235156559ec9c419564f8d247716a8cef5b5a7938119e9

SHA512
799162b7aa7e33801b0eb18cd888bbfa37ec506af4a4a83d5933473284756be7803469b24f7bb21316aad356a5818866c2704f5f95569aec0686b45b697b8fe1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
fbc2020461aaddcfebcadb90932f94a4

SHA1
f35e4c575ce011b8063c7645711a9d2caea9da86

SHA256
35c616f57af5ce30e98743896e2d05667769c4c9c3115f8e3528d356ee8ab90a

SHA512
7773b5d7277fb630b90dd17c6126903d570a42934d7af2fb5894d906c5af6a12deeb7ef45604486c50e83f1ab9907d91130838f090cba40296e8397dd4e03cde

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
a4d8f47f8bc05b22eb51aa70b62e4677

SHA1
720f1d3e86db1ea397469606122b7a251070908b

SHA256
1b36fe97f18d31c6808ad554ebe21a482b9db9185978bd619098a5c4e09071ad

SHA512
2cbcbe28b202d834fd0faa156a471d5b867628a98325efe8db0536b8cb8f73d22edb7e5c03f737e881019ed85baaf0aa2109d58d6ce32a2b30b14a9b2c033ed1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
d4d99aaa2c938f52df1c5ad93c97d646

SHA1
e6cb3d02eee13df944043280d8d9942b1ee707d7

SHA256
f3d4010f937f608d08e4ace66b671554667a38c61ffe938830c573894e1db8e9

SHA512
9655b5d2ce2c53adb0127f6bcf187a51dad1954ba171f2a42b6f23ef3a5774e756af1b09d59aee64aec00d145256f79fc985f98785491c00f7a0bce0b32c8171

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
577KB

MD5
99b09383d917907dc9e6fb21e3810a98

SHA1
1404912df1493e7fa651dcdcd051b90c1530e8c8

SHA256
d5882fe56d515c2d1eba8eff7d13fe503ff37b555058dba0bb398ebc0d1e71e1

SHA512
84356f83c51b799d4257064344d6c38ab7b6275f1479977a8f0d487cd91d8e392acb6000cfef00c5a88679d08836058873825255951160385aea1a226520c809

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
577KB

MD5
20af32221c64921bcd29b8198018dddf

SHA1
755382afc9eb263fbfb9c20de988290c2d66964f

SHA256
ebd07436c36b309140c8acde6dc65aff9e17842d9aae57b685133c6b2847d89f

SHA512
2a045d0108d7c7b20c63ec45ff9b2ea4921d1e2bce4c6948cc887c0a045c067cd5748dcf45c1371ea47b6200c3b5c36d7ff2379f933223e740997f9de9923a79

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
639KB

MD5
c245bec5d3cff96f645ba2b297815558

SHA1
b6c1ea98ad00ae07d1e4219bbfa654a75fbb8b42

SHA256
4daa3f630777576f956f7036473c602ac80aa460d4cd421d85ac373cd1df7c03

SHA512
af63cef36b75977f33679723d8027189ead3ddb478fdc2c6d10721bf2c8c16bf6eb98635e625744d3b2c7c737caa6b8079578145d43f21244b7b75f370ee86e4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
7e351689362d3d839d4400599b44d5a4

SHA1
7f04cd052261a0765a4dca425ee0374a4bb4a206

SHA256
182bd9682476d1e489037c779f4263e6f29463b4475b8ef3be8ddb5767de7eba

SHA512
d7d2dce5bc066a7b11ebd670a7c93213b5c72ef169a80edce5c20f7cfc5d2b82fed2e1f438c1dd8b996afbc406df7b5bc06e9f9e4bcba94ed149fe587824312b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
e08fce9192edbb3cc35a194da8d9d57f

SHA1
a20e3eca50cc7ab3a3715301bb04d6a9e3b45320

SHA256
4daad54840f63dbe127a536e33075b0fcf5e665a48487cdc4470e982351956aa

SHA512
a9038407912e6588536060e2271b622811f4d7f59143c1317cb969b4e530f1731b0d50cdd2e9ddf42068277857046fd2aec836d251144d17054a84abbf3bba42

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
144d925ba62308bc4624353832e17219

SHA1
5b417f579f58df45eb793dc05185baf2df6b3f7f

SHA256
8b6511a089d1d89a70e6137403aeb26fdca213a1aa42cf0ac6066d1f169a58d3

SHA512
5defde1e49c22fd63390b150a8a73b2ed7c0a25c77cfb529c5495e917226f01c6adb9074c67374bf9c69c9141531da923861983997dc49207125a20e5509cabe

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
cf5da19ca8ab6e3afc29800dc0901f5c

SHA1
0c5ee964b5df7423aede305bf942ca9fafcf1ce6

SHA256
d1abfa3d9c216b3769375239bd3320ff0c9bf2528415c50967055482072ee8ff

SHA512
cd8379b11940aeb85dd853f094eb641a22d8befc2b1503e720062546daa36bc4456e181cbc66112de0de38584744492c37219555cfd485010ad818abed882bc3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2fc5d97aef8ca8aca449d027c3d9aa04\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
5a3140244323f64f1ff5067eb602d9c1

SHA1
0712476281e7b94999a239cfcaea49c450e81c32

SHA256
f24a45d75b814ae73b9d8666b9cfeb91fd68a7a80a996ab403a85e5bfc4aa892

SHA512
c446a8e375e2d68951855acf0a2650051e213e13f8c7ed42e32a7e8ebb41f9c13dfcf98bb8c820ece6654056f6ef6a5be49548612cd3c7eb2723ac52a54b1f20

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3e41b296b4d311f8f5b6e77d853d29e5\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
43a03f5b8fb37d44eb4756fc829e57ab

SHA1
5be2d2df050f2bafab750c1000d33f38b58e3b46

SHA256
ece913f67fffaa6db947b9924441a30f76ccc44e35743f3eb2152bad15e96499

SHA512
3b27360ca3f9d39fbbc900db768fc9c3c2372f1aa2158920ae815036f0a2f0c60af6225e14cfaba959eeb69c5a892832095e0e207eb8d384d8e78527b98e0d03

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7757de4b540b01bf6e05cc57de2dcad1\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
1a226cae0618c780f1c492a2b84c680e

SHA1
60d61dd559477122a3027c7821bc1d21d0dea44c

SHA256
25222f87901845cf02254733e31d128d3ddbae1e669a92ee0e222d99029e4035

SHA512
337ffbd823f4ed62a301e7c35f3d602d94ae7098472f40275f9349075ed0b0e6db5b6eb599fda66e1636073f2b6eff058aac3497c9403b39b61522a89bfc1641

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a1020ab694f69dc7df48ebe0ec587739\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
54c5a07d53ee31843054449d54579789

SHA1
6e19860c132d61589306474a98fe1a79ff05be51

SHA256
bd81ea89bbaf5059733cefeab5b3c97c046cf41f8bf877df4007d97a73359967

SHA512
a99de3e2e0d6ec4d5b560a7015c902923c0e8d8fc44f0dde10bd8a6f82e1a4fcf8dc67518deeb3aac4517d91e98e5966eb2577fa823dd9a9ef91cdb2a5a0f981

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
2c0bdd1b7319f6e61d3967a9ec9e2340

SHA1
b3f829e029ed316fab196d709dcd4124355bf219

SHA256
15b37b21083649c25ff77c3a310970b64f9fdfc04f2119e8ee503f120a69403b

SHA512
3c861c787755801276adf6606f84b9cbb83a95872a7b83d425273503249a0406c9e9cae30f0e34e48bc76b236b73f0181f41fcd2c3695753306ea9146c2c6c25

Download Submit
\Windows\System32\alg.exe

Filesize
512KB

MD5
c22e5cbfe98df6e8e2be85513f6212bf

SHA1
66ee1f1382e52c6d27ee1fb68a05a8ead78e7bc7

SHA256
3f1908b6b93397da9d55a4c7863bd09e1f377a11dfae5be1413b3df39830a492

SHA512
aed8fc44ee2fc0656d2291498751582bd9cc1c874c9b34e208b43e24c09aec38477a1a3c12cdba283dd67d1e62cbcb8135822966d7288d01b5e790e3af06c573

Download Submit
memory/336-366-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/336-389-0x0000000072880000-0x0000000072F6E000-memory.dmp

Filesize
6.9MB

Download
memory/336-384-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/336-374-0x0000000072880000-0x0000000072F6E000-memory.dmp

Filesize
6.9MB

Download
memory/336-372-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/772-90-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/772-84-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/772-108-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/772-106-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/772-83-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/1436-78-0x00000000003D0000-0x0000000000436000-memory.dmp

Filesize
408KB

Download
memory/1436-279-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1436-72-0x00000000003D0000-0x0000000000436000-memory.dmp

Filesize
408KB

Download
memory/1436-75-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1480-395-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1480-404-0x0000000000A90000-0x0000000000AF6000-memory.dmp

Filesize
408KB

Download
memory/1572-385-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1572-390-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/1572-348-0x0000000072880000-0x0000000072F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1572-337-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1572-394-0x0000000072880000-0x0000000072F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1572-343-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/1648-359-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1648-361-0x0000000072880000-0x0000000072F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1648-353-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1648-403-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1908-61-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1908-60-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1908-131-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1908-68-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2036-388-0x0000000000A70000-0x0000000000AD6000-memory.dmp

Filesize
408KB

Download
memory/2036-406-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-378-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-391-0x0000000072880000-0x0000000072F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-1-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/2060-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2060-6-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/2060-28-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2140-13-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2140-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2140-80-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2140-19-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2144-287-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2144-294-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2144-300-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2144-298-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2144-306-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2144-307-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/2272-96-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2272-31-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2272-32-0x00000000009F0000-0x0000000000A56000-memory.dmp

Filesize
408KB

Download
memory/2272-37-0x00000000009F0000-0x0000000000A56000-memory.dmp

Filesize
408KB

Download
memory/2312-137-0x0000000073F28000-0x0000000073F3D000-memory.dmp

Filesize
84KB

Download
memory/2312-335-0x0000000073F28000-0x0000000073F3D000-memory.dmp

Filesize
84KB

Download
memory/2312-313-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2312-126-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2312-121-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2312-113-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2464-111-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2464-45-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2464-44-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2464-51-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2664-314-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-319-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2664-312-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2664-304-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2664-320-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2664-321-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2700-91-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2700-25-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2824-99-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2824-104-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2824-97-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2824-302-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2968-347-0x0000000072880000-0x0000000072F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-345-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2968-323-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2968-331-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2968-334-0x0000000072880000-0x0000000072F6E000-memory.dmp

Filesize
6.9MB

Download