610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
Size

1.8MB
MD5

8bc2a2211679bacc03a61b0ef0c2a42b
SHA1

89efa59b1dd4378fcdabc590a77bfada9f262fab
SHA256

610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c
SHA512

0bd7750330bc19b8f7bf0d68f8fd7c6dc7da2887def99fc5a3b3ed07253bbbd5d1e443a0c6a3c03add7791e4159c0ab6b11f3da71f6cd32d329556fba5969d38
SSDEEP

49152:AKJ0WR7AFPyyiSruXKpk3WFDL9zxnSFpAHrVQ1/fSNvi:AKlBAFPydSS6W6X9lnapAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2780	alg.exe
1032	aspnet_state.exe
2816	mscorsvw.exe
1576	mscorsvw.exe
2504	mscorsvw.exe
2332	mscorsvw.exe
2936	dllhost.exe
2872	ehRecvr.exe
1500	ehsched.exe
2864	elevation_service.exe
2236	IEEtwCollector.exe
656	GROOVE.EXE
584	mscorsvw.exe
2904	mscorsvw.exe
2516	msdtc.exe
2476	msiexec.exe
2244	OSE.EXE
1808	OSPPSVC.EXE
1532	mscorsvw.exe
752	perfhost.exe
2648	mscorsvw.exe
1928	locator.exe
2584	snmptrap.exe
624	vds.exe
900	vssvc.exe
676	wbengine.exe
1976	WmiApSrv.exe
2980	wmpnetwk.exe
1516	SearchIndexer.exe
880	mscorsvw.exe
1904	mscorsvw.exe
548	mscorsvw.exe
1456	mscorsvw.exe
1972	mscorsvw.exe
2312	mscorsvw.exe
1660	mscorsvw.exe
1628	mscorsvw.exe
2904	mscorsvw.exe
2256	mscorsvw.exe
1972	mscorsvw.exe
2704	mscorsvw.exe
292	mscorsvw.exe
988	mscorsvw.exe
2928	mscorsvw.exe
1784	mscorsvw.exe
2140	mscorsvw.exe
296	mscorsvw.exe
860	mscorsvw.exe
2412	mscorsvw.exe
1452	mscorsvw.exe
2904	mscorsvw.exe
2120	mscorsvw.exe
2536	mscorsvw.exe
2580	mscorsvw.exe
792	mscorsvw.exe
2820	mscorsvw.exe
2640	mscorsvw.exe
2560	mscorsvw.exe
680	mscorsvw.exe
1148	mscorsvw.exe
1044	mscorsvw.exe
1764	mscorsvw.exe
2872	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2476	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
736	Process not Found
2820	mscorsvw.exe
2820	mscorsvw.exe
2560	mscorsvw.exe
2560	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
1764	mscorsvw.exe
1764	mscorsvw.exe
296	mscorsvw.exe
296	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe
2972	mscorsvw.exe
2972	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
912	mscorsvw.exe
912	mscorsvw.exe
2340	mscorsvw.exe
2340	mscorsvw.exe
892	mscorsvw.exe
892	mscorsvw.exe
1964	mscorsvw.exe
1964	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
1244	mscorsvw.exe
1244	mscorsvw.exe
2608	mscorsvw.exe
2608	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
744	mscorsvw.exe
744	mscorsvw.exe
2568	mscorsvw.exe
2568	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9554e882223c682a.bin	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\goopdateres_cs.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\goopdateres_lt.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\goopdateres_ja.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\goopdateres_es-419.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\goopdateres_it.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\goopdateres_uk.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\goopdateres_zh-CN.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\goopdateres_vi.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5CFE.tmp\psuser_64.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP66FD.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D39.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP897B.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP75EB.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9B36.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7945.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP80F3.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5042.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0c261d1dd64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000700fd7cbdd64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
292	ehRec.exe
1032	aspnet_state.exe
1032	aspnet_state.exe
1032	aspnet_state.exe
1032	aspnet_state.exe
1032	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3056	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1032	aspnet_state.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: 33	2860	EhTray.exe
Token: SeIncBasePriorityPrivilege	2860	EhTray.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeDebugPrivilege	292	ehRec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeSecurityPrivilege	2476	msiexec.exe
Token: SeBackupPrivilege	900	vssvc.exe
Token: SeRestorePrivilege	900	vssvc.exe
Token: SeAuditPrivilege	900	vssvc.exe
Token: SeBackupPrivilege	676	wbengine.exe
Token: SeRestorePrivilege	676	wbengine.exe
Token: SeSecurityPrivilege	676	wbengine.exe
Token: 33	2860	EhTray.exe
Token: SeIncBasePriorityPrivilege	2860	EhTray.exe
Token: 33	2980	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2980	wmpnetwk.exe
Token: SeManageVolumePrivilege	1516	SearchIndexer.exe
Token: 33	1516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1516	SearchIndexer.exe
Token: SeDebugPrivilege	1032	aspnet_state.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeDebugPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2860	EhTray.exe
2860	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2860	EhTray.exe
2860	EhTray.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
1816	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
1816	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 584	2504	mscorsvw.exe	42
PID 2504 wrote to memory of 584	2504	mscorsvw.exe	42
PID 2504 wrote to memory of 584	2504	mscorsvw.exe	42
PID 2504 wrote to memory of 584	2504	mscorsvw.exe	42
PID 2504 wrote to memory of 1532	2504	mscorsvw.exe	48
PID 2504 wrote to memory of 1532	2504	mscorsvw.exe	48
PID 2504 wrote to memory of 1532	2504	mscorsvw.exe	48
PID 2504 wrote to memory of 1532	2504	mscorsvw.exe	48
PID 2504 wrote to memory of 2648	2504	mscorsvw.exe	51
PID 2504 wrote to memory of 2648	2504	mscorsvw.exe	51
PID 2504 wrote to memory of 2648	2504	mscorsvw.exe	51
PID 2504 wrote to memory of 2648	2504	mscorsvw.exe	51
PID 1516 wrote to memory of 1816	1516	SearchIndexer.exe	60
PID 1516 wrote to memory of 1816	1516	SearchIndexer.exe	60
PID 1516 wrote to memory of 1816	1516	SearchIndexer.exe	60
PID 1516 wrote to memory of 560	1516	SearchIndexer.exe	61
PID 1516 wrote to memory of 560	1516	SearchIndexer.exe	61
PID 1516 wrote to memory of 560	1516	SearchIndexer.exe	61
PID 2504 wrote to memory of 880	2504	mscorsvw.exe	62
PID 2504 wrote to memory of 880	2504	mscorsvw.exe	62
PID 2504 wrote to memory of 880	2504	mscorsvw.exe	62
PID 2504 wrote to memory of 880	2504	mscorsvw.exe	62
PID 2504 wrote to memory of 1904	2504	mscorsvw.exe	64
PID 2504 wrote to memory of 1904	2504	mscorsvw.exe	64
PID 2504 wrote to memory of 1904	2504	mscorsvw.exe	64
PID 2504 wrote to memory of 1904	2504	mscorsvw.exe	64
PID 2504 wrote to memory of 548	2504	mscorsvw.exe	65
PID 2504 wrote to memory of 548	2504	mscorsvw.exe	65
PID 2504 wrote to memory of 548	2504	mscorsvw.exe	65
PID 2504 wrote to memory of 548	2504	mscorsvw.exe	65
PID 2504 wrote to memory of 1456	2504	mscorsvw.exe	66
PID 2504 wrote to memory of 1456	2504	mscorsvw.exe	66
PID 2504 wrote to memory of 1456	2504	mscorsvw.exe	66
PID 2504 wrote to memory of 1456	2504	mscorsvw.exe	66
PID 2504 wrote to memory of 1972	2504	mscorsvw.exe	74
PID 2504 wrote to memory of 1972	2504	mscorsvw.exe	74
PID 2504 wrote to memory of 1972	2504	mscorsvw.exe	74
PID 2504 wrote to memory of 1972	2504	mscorsvw.exe	74
PID 2504 wrote to memory of 2312	2504	mscorsvw.exe	68
PID 2504 wrote to memory of 2312	2504	mscorsvw.exe	68
PID 2504 wrote to memory of 2312	2504	mscorsvw.exe	68
PID 2504 wrote to memory of 2312	2504	mscorsvw.exe	68
PID 1516 wrote to memory of 2732	1516	SearchIndexer.exe	69
PID 1516 wrote to memory of 2732	1516	SearchIndexer.exe	69
PID 1516 wrote to memory of 2732	1516	SearchIndexer.exe	69
PID 2504 wrote to memory of 1660	2504	mscorsvw.exe	70
PID 2504 wrote to memory of 1660	2504	mscorsvw.exe	70
PID 2504 wrote to memory of 1660	2504	mscorsvw.exe	70
PID 2504 wrote to memory of 1660	2504	mscorsvw.exe	70
PID 2504 wrote to memory of 1628	2504	mscorsvw.exe	71
PID 2504 wrote to memory of 1628	2504	mscorsvw.exe	71
PID 2504 wrote to memory of 1628	2504	mscorsvw.exe	71
PID 2504 wrote to memory of 1628	2504	mscorsvw.exe	71
PID 2504 wrote to memory of 2904	2504	mscorsvw.exe	85
PID 2504 wrote to memory of 2904	2504	mscorsvw.exe	85
PID 2504 wrote to memory of 2904	2504	mscorsvw.exe	85
PID 2504 wrote to memory of 2904	2504	mscorsvw.exe	85
PID 2504 wrote to memory of 2256	2504	mscorsvw.exe	73
PID 2504 wrote to memory of 2256	2504	mscorsvw.exe	73
PID 2504 wrote to memory of 2256	2504	mscorsvw.exe	73
PID 2504 wrote to memory of 2256	2504	mscorsvw.exe	73
PID 2504 wrote to memory of 1972	2504	mscorsvw.exe	74
PID 2504 wrote to memory of 1972	2504	mscorsvw.exe	74
PID 2504 wrote to memory of 1972	2504	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
"C:\Users\Admin\AppData\Local\Temp\610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 268 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 250 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 290 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 294 -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 294 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 1d8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a4 -NGENProcess 1d8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 284 -NGENProcess 290 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 2a8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2b4 -NGENProcess 2a4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1e8 -NGENProcess 1c4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2c8 -NGENProcess 2ac -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d0 -NGENProcess 290 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 1e8 -NGENProcess 2d4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2d8 -NGENProcess 290 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2a0 -NGENProcess 2d4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2d4 -NGENProcess 248 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 248 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2ec -NGENProcess 1d0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2dc -NGENProcess 1d0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2a0 -NGENProcess 1d0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2a0 -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ec -NGENProcess 2e8 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d8 -NGENProcess 2dc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2a0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2d8 -NGENProcess 314 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2d8 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 310 -NGENProcess 2f0 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2ec -NGENProcess 320 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 320 -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2f4 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 30c -NGENProcess 2e0 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 330 -NGENProcess 318 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 330 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2ec -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 334 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 324 -NGENProcess 2e0 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 31c -NGENProcess 2e0 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2e0 -NGENProcess 334 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 334 -NGENProcess 340 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 334 -NGENProcess 328 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 31c -NGENProcess 318 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 2e0 -NGENProcess 360 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 364 -NGENProcess 318 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 340 -NGENProcess 334 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2e0 -NGENProcess 30c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 368 -NGENProcess 370 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 334 -NGENProcess 374 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 318 -NGENProcess 370 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 360 -NGENProcess 37c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 340 -NGENProcess 370 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2872

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2236

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2904

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2244

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1603059206-2004189698-4139800220-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1603059206-2004189698-4139800220-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 604
  2⤵
  - Modifies data under HKEY_USERS
  PID:560
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
960KB

MD5
ce57743674361bfc298b0bacb45b5eb0

SHA1
b7f43886e8a74b42424828fdcc94227078c4734a

SHA256
b816f5319726198cb2e280efeef4f07c6f7630301a70edbfb997ba403e94691c

SHA512
688cb7527f5185da2c94ce426540f10dd6e11762ef788d80573255c453efb49fb33ab07ae1249ac034022e63375f1b875f0ab0a339f11c8b04f1d6ced9bedbf8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
4.5MB

MD5
af8233a44e0e443b122f3d700ede246a

SHA1
e26c71544f4abdc70559ac5c67299edeebe60d72

SHA256
c7dd7b5dcc40eee19d9edf0c3dacc7ebe9c115e7ec0e519bb5de4c77725e783f

SHA512
7e049403c9ab13bc88ea720603bf8068a97146d8c93ecf8ac311492ef2cd8f3b203ef5ff1442871faeae797a7d60b2089639f876f9036eeb125f0758226ae818

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3a02aef2803601db1c4d8e384267c0a4

SHA1
d2f24018221c50a417cf463ba4634d5dc61bc721

SHA256
00e6f1c331b29b195b980dbef89123339cfbaffda889fd60d1301dab21361403

SHA512
4c479ceec393f9c00733d7e2befce064fdfe56f5fd78090c11541c1edf3ff320d592505f78344bb8f6a1a9b356a63f3f103b7757898da885c425bbc9e55f5ca2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
256KB

MD5
1733ea572df93289c12791f3413049fe

SHA1
72f151c8fe85053b66126419a81d173bee3fbdcd

SHA256
9c391cf0cb0bead77e55c5300932be0a4ec0da8fcc177c52a5f16821ebfc8744

SHA512
ecb4c5defe70240d0774a9ebdba47c3641f7a497ab5417125b4baed90f6f7d8b778d67d78ad635e0178d352e53d0740ad20578417e9ed13ee101895534fdf381

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
58b329a769a1b61b5ab55b038754a8b2

SHA1
61a93cc81e73065793056f1aa82d3b04f65a635f

SHA256
61db08877505e3f438ea7eaed99bd08967fbaf501b531fcf0407c15d3c732de0

SHA512
ac7117a3bb8c4864ff6475f9ce6348132e6085d5cbdd924a80bfd810610c47aeb2e0112c69206a0ce28536f31172d1e0bc80951f6f7a66ff18170a7c64aed5b0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
61becab97e10f36d19f21cb3a6e2d008

SHA1
01e4fedab9039ce236fb2474c30e997f2fc4fa1a

SHA256
1c1a5057113166b4730172a64d00c6a089441543cbdcf37b3b87e9514343c3f3

SHA512
dcfaf68ec538fd1862730f2e7f96f00b932946e1bfd71894abe77885145c20e768e566e9db72c070ba9c6b98d2cc9b02bf77cfafd9f7031320c003eea98fc637

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6dd344290eaca3175552a8713f8ea4e7

SHA1
5027123405915bd3e1ec90b6846d0d333406045a

SHA256
92c24e5a452b3364186bce10e0b6e961ec6537aeec15279ed4ceddcb3d93b520

SHA512
3b7405576f2750e6c048fed28940d107ff560edce8c0a258d8eeb0dd3d04b7174a48cb82b91c383f2a9b92826ad807b4e6c45ccf508c33a96434712ddb4f82c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
ce87caaeee21776d9e74c8b9210b7bd0

SHA1
d2ca8e586efdfc15c7747c7346cdf1adfbfcf45b

SHA256
c6341e1c559bcf70be558224c4bb7b51ce4249270abfe20ffc5a3ed8d1009451

SHA512
4a929c6cc7e1e080f38be2b79bb70ec79d535254b5566f8aae45a509d6a589f3f650b68d7aa0000e372aa200a38128403f185b8b2f55949ab732a4b2758855e6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
3b407a3b52759581559f77bf2a8e6e70

SHA1
bf3d85fe649bcbdbb3cee389a71a6138ec81c0fb

SHA256
d99547a4bb2113da295459569c3537065783a607a474a793d1a1b5a7b16ad615

SHA512
772e44cbef8360bcdc8fa5e575d9985ae32b8b54e02dec552b572370fdb36e14e965e04b8fd5da9db70bfbac6c14931cb393afd13439dbfec1daf09e855c6b7a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
a575c3cfc254ed01a9dd497236499299

SHA1
594cda71590f26e71f18018df355df2d23b36bfe

SHA256
87a47195d5d98bd3653842de75b4d00fc01ecf73e7bcb475a33ce34feb0fbc45

SHA512
668d02752fe33f8c112ee6061d77993a93a47350a76b2ea2129f93444db8c4479e3ec17cfcdbb2b4c6d33b5a848348263452f27e197d4d34337d9f0a45d99130

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
cf30439a8430d8f316b6e54bfebe1ef1

SHA1
1a369fd687f63afa0e013cd37500ba32d861746a

SHA256
023f6984f9022b834c760f76821346f4df448ebfd18b1620233452e3085276ea

SHA512
ca66b82840b6b34c2fab79668769345c667f2a0cf15f1ea36a9ece0a16ade01c1227d02e8cef6b8ebcc853b8b93813c5554db05df1add8d386bd921da8adbb1c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
4168684e0e2a756375af1d4929da4018

SHA1
b29cb3b19093c84ebcdf42f23da60f9621e281d8

SHA256
5b315787f7e2daded9f00fa473b95e49a2f4a9922478ad6aa4c62d7921662be7

SHA512
43294df59f76cb6c5d3824fd43ebf7e9b0aa3a1c1dcdc55662ddeba8833af208ec83d150bc4d3a8d6f9e0180012e443aa1b44863ba4152e619f17293a8c3d66e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
86cbfc4fba9d06802bf2a66c35f70a4e

SHA1
8611e064dbafbbfb54b4b18850a407b12805d796

SHA256
6ebd6421492eb1facd4fa38959a28ac9a422b3ff04e015a6ac1dcc98d9eae037

SHA512
982ab6b57b7f23c8cdc01563272e1e2070642859ed7643b208c04b943628bd8cd566f42baa1af430c5b7e58df144c1ad578054580b67547a76ed93d71432a8a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
375KB

MD5
c1930a9da9d71c8a6e1264415ae40a76

SHA1
54bd0408dac368f4ac7eca0ac8d77504c2284854

SHA256
ba7b20033f6a3d6689b92de90340103232f01fe02b9477c717ad6205a024fda8

SHA512
1d396dd1ff52ecd7f137fa490d9196da3bd624b1eaae03d565a8c4d2623650ff99825e7c7aed89321e63de4ac843e6979f7cdf8ace8487b7b27f15d658f2776f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
ac2532281f852118106b9d3f2a304fd9

SHA1
7f675a7a45dbdcae49864d8c5c84285b5d9f10f0

SHA256
e63e2b6bb1bea569304a78778c198ab2c4214c3446030f17da907f2b3367dd95

SHA512
8442de695ca453500ad3c0fe55bd3501d91d54f8c92fafdc50f5d753dd1800a2d61e3368c33a560df40d1d4dd2e4955891d3f0a68e41df1a216d584648dc6c38

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1024KB

MD5
af4907fc8c55acde702273129c440e0e

SHA1
4fc3a25b7a8c4cc22129ea38ff8cde3953fd67d5

SHA256
91de2bef1ee92e64cc62d5f8e9f55f4dabe764e3f6997f561229235e4fda2dae

SHA512
f55c3fbe0cb291b3eb152772d98b04bf85a90d9393ac31a63d82cbdd6861e7fd2aa9fa03966b0363ebbdcbac4bdcabbe5f85f42f815786fa75cbfef7c3930657

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
42577b4236ad7c37ebad8a6515a78baf

SHA1
c429b592aaa5aa2f96e68546c797a22bf3e77762

SHA256
f69a3272ec0c31625363bcf8eeaf73ac0f50624759a6f6c593957b84f76309f2

SHA512
c6d2d9bcd7cc34b4f269846c374c679ac3eab4a8aab094a358d25409b7510b88bc58c05302c768023cd61d84b13bcbf1a887a2e6bea751c11cf6dfba39c06824

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
128KB

MD5
ba93f06523f62fc0b9c12e3733b2c435

SHA1
d672c61e2615a6e05e1208e9097a2d9465d40d73

SHA256
84077bc73226d7da8371d899eede8fcdfbab00f9e44fceb69926c49326ff61e5

SHA512
b190b4428651c027bd4c6e087de5afbfc4eb8bd61dc6fccabf67e603178571ccbdfee2a6879823de69578dbdf4d1f621af99867eb52e899bf0ab977fd0329500

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
28dccd6bedea7a7cdb966a983eb2d30d

SHA1
dc91608049539cd6c75cbd7e89fe6974d66d657c

SHA256
3751cdcb929f173701322cd7b1676cf88e659fff27354aa75eb29ec63f635543

SHA512
5dc67a4c1c35fd7ef551100a991e600263f1d5fc20486a7dc984b4495ed341b70a06fae4c388aafe440aea2275463fd29e5d66ce59b8f1dbe3a70bb3d1d93d6e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
aa8218f81a407353078d1acccf61d9ab

SHA1
ccd2a421b31e85edd4355dc4e81daa439eb75909

SHA256
1a150c4e85026f3e59212997d843b473bbda7eba5d96760a5e428e07900438bb

SHA512
4756bbde92009a9453b9a7153870bab9abe82d861fb946b79de939ae15c5d3a0f5fbaf5c23c06c1169dd4f4ba97103a6d8d60426ae95c18d5e45e72012f4d246

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
448KB

MD5
8c9aea3d9124030f46e10fde96a851be

SHA1
ddc5fe7d23ecd8a00a0603a1a256e0f19df5c325

SHA256
ba8f896cb9051febf92630737ac8e29027d3f00901e6c64e5eba2691ad6e1af0

SHA512
96d8f9f6c55808f3a58b485931d735840fb886d9df668d60fc6aeb57994cca558b83245fc93ef4c492d851d97432fde6005f91de51c3030d4b2dfe394a95252f

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
21ba8e7ef978950754abea66cee19e92

SHA1
19abd3d7992373d05539e90cf97613d795399439

SHA256
616c4924766690933d211c4c745d3d6bbeb3491f3ece7c13a5411996ef9a240f

SHA512
a7576938417683195413c7845a11edd56a546d9e6d7dc9138aefeee155884920ed118812eed5036a6418d97189633ce840c18bb1f0d2488af3be96bb70c8d1df

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
060f2056da4bc3f45b73ebb157d97ccb

SHA1
62864c55a03a6c7d8b4d8f960ac266ef05b0b844

SHA256
bd54710ecd66a41697050e22e26f8f1321f202802f896b3422763e8282b21b01

SHA512
7e503c6bad77e913712fa5845de70c5576b76646ee32b2ebd0dfdff63974b5f74e8562aa1a672897fd7913ad69ef988007a366ff3102f46ac930d0247f181d20

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
217ab370814be34f63ac54e10ca50fa3

SHA1
04c121186032642d0812dc789a120ecb6edefe3f

SHA256
336992b6051662db3d3887121bc81e8677b88830d1b4a5fb0bc57f0e7ac6d962

SHA512
a6a70b6f4d8902a0967b5c1d19381e607d5a4ec4018619c7ed28286d5bf7bc2d7da74ce175026bd1b7b26de17a7cdabb1b812fb5546386aea7a36d1dcb157eb3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.8MB

MD5
d7a5051441a1f1589c606022b450da77

SHA1
a4287919caa215a1079a4942d32cd92c8009566b

SHA256
ad058e2dd3ca2a64b6f248d102c0b0a5f86a51b0ba3a2e72ec26e432e7471950

SHA512
1e1ad5100f9c30f45e955505ff0ffbb9b5168a6db86ef5631c934002d650124e6ea8ffdf5e68cf8cc14a19ad9a903e52f63a367a0c17c4a8f8d89f68cb8cfd88

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2caab4784ed9265fa1de3770b7418834\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
de4a57e03c8b004c53dd2f3b0e6df019

SHA1
dcdda28ef40fabe4c37262b553774d6ac3ee2990

SHA256
45b776c67ab68010bf6b36b256ab4f82c8cee6d140074e7e31b88bfe823780fe

SHA512
95aa404ab788e4a4bbbda0308321cf28fd81fbee17dfb92a0a0c1a35dc67e1120f787ea9ae82fefed9dc6b66893accacaf82f59b6772fa83c61052c8d52ddf4d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\304e643b7dbdebed81220d347467708f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
f791b7c27fbee49305616806ec3c0ba4

SHA1
8e3ad996e88ff5c09017b273dfcd9dfbd00e3081

SHA256
916ad69f59ccff121b3316194bf86635a43bcdbb9cce39b32ff44a2c8f0d570d

SHA512
52f6483b2e87abb8bcdd5c9dd5fbca2b109923e6a8c270de1bb16b15d764ddae93dc08f9d96e958498f70cf48f4a3edc2076d034c4cf91142f0be37762405b1d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bc01537de21d49f45fa8a65b9fbf8b30\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
4c7b56daa097475c10ed87cae5872a72

SHA1
b0f3b2fcc28b6d0555482b523604000d7e24ff59

SHA256
02f9f3c7086facdcee4b75e7276ef1390ebdbd638c3a8d94028ebd538da2b532

SHA512
355cf85572959d6e164749bec049c90754e8bb401905b3ab430e33d1280d896b2ba4ba73d126d21a9a1ae648aeb94b2766f35bd5af1fb58b9abd49ee87d50347

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
cb33cef32dfea257e216f0ab172b13c0

SHA1
6e2add424e45c785307489cf6b70d99bae919372

SHA256
2728010f2864889af529decdd24e1552a4e588fd9f9b36f0b96624e2b5f24960

SHA512
3589cd7ba451df06f1a755d9a9e6e672ab7f6de536a9744efad80bf7a3f8fca47bd58dca64c4fb5396937ba2a5eb3a3b576fa600e902860bc62901a5ae95530a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
89205214db0b2889cd6a7bf613559e02

SHA1
d612521a75471804232f52f747cbf703752d4c49

SHA256
a93467727da1252780578fd0b250ac09adf3d2a6d85b1eed6603b60608d2b49a

SHA512
c29f4f04e329929c31d3c6ba272548dd657bc1957568f50f1e5967c23b5a11fb4e3334f1587df03879e2f01df7889e8c7c0b36f7dcf7a5fbf6cd406c85d6c98e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
1e78792bfade3eacca545990e060d046

SHA1
8d69a1743d1968ab4ab9953f46e934313bdea5fc

SHA256
55e1eb204d3c00e7f0181f0f1dd005ebe1639626a76dd25e00587a6fc4b800a1

SHA512
be38d799a521abbffbf97329a21b79d46b380929b8ef4d268927f483395a2fe9fd9f62cfe073a573768b44a533dc29272bbaec997875246ac2ee5e289de55763

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
74f9b5567bbc5000ad7082f7fff89138

SHA1
37de53a8ea1c934f1323b66351a088f8a7ca721b

SHA256
27d52c703342968223ef47adfaacc2eb4b9aa1683ed13ba5cedd24211f5bfed3

SHA512
734f7bd47a74a5e68e8bd4a6f9cfba4f55cc7ef05bffcbb8b973b503d576503c883bf9d29eb35e4b6d5efb516d8ab50cfb6a3e53d05f9dad79bf7b90bdf7fe8e

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
e644d838f925866c8644ce587a811865

SHA1
972864b6bee1a245fa19e201410928bc41da57bc

SHA256
d2712008c1869680a95f718feb6d085344dbff46731c3589b979ebea9f05e937

SHA512
9398d4b166c1733984b5a9e3e765e62d494ef1ada674547db5c27d3ef8909b1f8f4f3bae1e798bebdbaae5d7ce694ff4ba64e2f17dfc3fdb6b41274a5d8934f8

Download Submit
\Windows\System32\msdtc.exe

Filesize
324KB

MD5
af12110eab43592f6d65dcad9ec2765f

SHA1
0b15b50c7222b9dc1011aedfb05a3660f59bbe6d

SHA256
c74b83b40e06dd9573bccc6344e1122e7040284bf40cfc300621043b85d400a7

SHA512
52e4d4b95b742c63e88e2f8a4318b48c13637e93399539118cb31791f57f3c302fefc9fc8dfdef8cafba291fc7115fa7286101d60122f4cb2a763d0a367da2e5

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.4MB

MD5
7632f51ecbe35c2513d07aaba9219705

SHA1
4d6f83dcb7b853951006158e6afacdb0cbf58e3f

SHA256
9f528482fdde5203162654f7f71f289fd1566bd3e0d31e933ea1015fb2172024

SHA512
cae27fbb159a87a65a103d213c5709a3b06a663f72c32b74f556caab552f82217de625c9c5a561ed7052f9acc5a2d912fcff283d1b2b16fc62e12802b9c4e5ef

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
b4520b9f83d54cc03e44e55d2141911b

SHA1
f4c3d18f08569e6a099eef4b37b31da2a78f953a

SHA256
061ac519a677d921d2444804020606a0521389d1aafd7bd042e067c71ccb0370

SHA512
8c2293d70555b0505f942c2ab676378df10c7dbebf3613ca8616d0c9e7a3d902e18369be713db08ce20c54e3b9e7a351cd5e414b98b78905ff6e3dbe6071d858

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b314dd3affb3ece5aafee279615f0c2f

SHA1
462ef297d976b6c7a27f2bdf5393204ed1e0003d

SHA256
45692e968a9b9b1c940df225c188c868c32d621bd3f4d1428aa0ad554c8bc7bf

SHA512
c9a117f8d5fa23e937e96262c9db566cc83b547ee14459e4781b84f55d633dad85e7bd377eab71a6cd9530141ed55ff8a4cfa126e804a5ad06e568de6e252aa9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
a426df1fb0926a0d3866191ffbe813c1

SHA1
643cc0f2b7bdb143462c74ca3f180916ad43cbfa

SHA256
88322faeafe200baac67c13a01cb642eef2ab84db3b02dfbc493c2929b574f07

SHA512
2e10af5737615c22c16df48916fba59cbbf4403585103c6b28efd444ece92e766d224a86885ab7fd73e51b23f368c580747c568303f4545f047a5676068ab11b

Download Submit
memory/292-305-0x000007FEF4000000-0x000007FEF499D000-memory.dmp

Filesize
9.6MB

Download
memory/292-306-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/292-307-0x000007FEF4000000-0x000007FEF499D000-memory.dmp

Filesize
9.6MB

Download
memory/292-378-0x000007FEF4000000-0x000007FEF499D000-memory.dmp

Filesize
9.6MB

Download
memory/292-404-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/584-328-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/584-396-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/584-367-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/584-331-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/584-416-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/656-324-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/656-390-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/656-327-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/752-413-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/752-412-0x0000000001000000-0x0000000001255000-memory.dmp

Filesize
2.3MB

Download
memory/1032-92-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1032-85-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1032-171-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/1032-84-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/1500-342-0x0000000140000000-0x0000000140271000-memory.dmp

Filesize
2.4MB

Download
memory/1500-271-0x0000000140000000-0x0000000140271000-memory.dmp

Filesize
2.4MB

Download
memory/1500-284-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/1532-421-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-401-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-415-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/1576-113-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/1576-115-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1576-121-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1576-152-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/1576-122-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1808-392-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1808-385-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1808-391-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2236-309-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/2244-379-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2244-376-0x000000002E000000-0x000000002E274000-memory.dmp

Filesize
2.5MB

Download
memory/2332-161-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2332-296-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/2332-154-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2332-157-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/2476-375-0x00000000006A0000-0x0000000000911000-memory.dmp

Filesize
2.4MB

Download
memory/2476-373-0x0000000100000000-0x0000000100271000-memory.dmp

Filesize
2.4MB

Download
memory/2504-282-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2504-133-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2504-139-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2504-134-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2516-349-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/2516-420-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/2780-26-0x0000000100000000-0x0000000100263000-memory.dmp

Filesize
2.4MB

Download
memory/2780-162-0x0000000100000000-0x0000000100263000-memory.dmp

Filesize
2.4MB

Download
memory/2816-130-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/2816-98-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2816-104-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2816-97-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/2864-369-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2864-289-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2864-297-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2872-343-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2872-259-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2872-330-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2872-280-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2872-266-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2872-258-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2904-341-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/2904-345-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2904-354-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2904-355-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/2936-254-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2936-308-0x0000000100000000-0x0000000100254000-memory.dmp

Filesize
2.3MB

Download
memory/2936-246-0x0000000100000000-0x0000000100254000-memory.dmp

Filesize
2.3MB

Download
memory/2936-172-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/3056-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3056-249-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3056-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3056-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/3056-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download