751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
Size

1.8MB
MD5

175252250402ee03bfb1eb3a9d029472
SHA1

97458e4842a40a924dd45132c85e5bf055d6c664
SHA256

751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0
SHA512

1c869b6f4b2dcee4efa5db0875cf92f93ee25c0e8dc0734a5f6b6a8baae995eb6f0ec4b481b17cd25611c04db25bb3750d530c8bccc09d5d4bc0150b5d380dd9
SSDEEP

49152:Cx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WADiLlBUKubZrX+ld:CvbjVkjjCAzJUiBSTZL+ld

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2516	alg.exe
2016	aspnet_state.exe
1912	mscorsvw.exe
2636	mscorsvw.exe
1884	mscorsvw.exe
1640	mscorsvw.exe
1624	ehRecvr.exe
1536	ehsched.exe
1308	elevation_service.exe
2612	IEEtwCollector.exe
1272	dllhost.exe
2920	GROOVE.EXE
2460	maintenanceservice.exe
1712	OSE.EXE
528	OSPPSVC.EXE
1656	mscorsvw.exe
2292	mscorsvw.exe
3068	mscorsvw.exe
2160	mscorsvw.exe
1716	mscorsvw.exe
1700	mscorsvw.exe
2640	mscorsvw.exe
2912	mscorsvw.exe
2192	mscorsvw.exe
2108	mscorsvw.exe
2004	mscorsvw.exe
996	mscorsvw.exe
2044	mscorsvw.exe
912	mscorsvw.exe
2708	mscorsvw.exe
336	mscorsvw.exe
3020	mscorsvw.exe
1888	mscorsvw.exe
588	mscorsvw.exe
1044	mscorsvw.exe
2144	mscorsvw.exe
2812	mscorsvw.exe
1408	mscorsvw.exe
1092	mscorsvw.exe
1156	mscorsvw.exe
1412	msdtc.exe
2232	msiexec.exe
1524	perfhost.exe
1212	locator.exe
1816	snmptrap.exe
1124	vds.exe
788	vssvc.exe
2716	wbengine.exe
2648	WmiApSrv.exe
2772	wmpnetwk.exe
696	SearchIndexer.exe
2200	mscorsvw.exe
2836	mscorsvw.exe
2216	mscorsvw.exe
1488	mscorsvw.exe
3024	mscorsvw.exe
2600	mscorsvw.exe
476	mscorsvw.exe
1600	mscorsvw.exe
2584	mscorsvw.exe
3028	mscorsvw.exe
1580	mscorsvw.exe
2328	mscorsvw.exe

Loads dropped DLL 53 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2232	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found
3024	mscorsvw.exe
3024	mscorsvw.exe
476	mscorsvw.exe
476	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
2732	mscorsvw.exe
2732	mscorsvw.exe
1648	mscorsvw.exe
1648	mscorsvw.exe
1132	mscorsvw.exe
1132	mscorsvw.exe
1316	mscorsvw.exe
1316	mscorsvw.exe
2280	mscorsvw.exe
2280	mscorsvw.exe
1132	mscorsvw.exe
1132	mscorsvw.exe
2456	mscorsvw.exe
2456	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
588	mscorsvw.exe
588	mscorsvw.exe
1596	mscorsvw.exe
1596	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
2848	mscorsvw.exe
2848	mscorsvw.exe
884	mscorsvw.exe
884	mscorsvw.exe
1692	mscorsvw.exe
1692	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6bf34df09a3c2c1c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2E9F.tmp\goopdateres_it.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2E9F.tmp\psuser_64.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2E9F.tmp\goopdateres_ko.dll	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP25B9.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP33AE.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4C2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1851.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP428C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6BCD.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3E0A.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEA8E.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP954.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1D70.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2166.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{29305834-E151-4CF9-A148-EF52F53A0983}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002076c23d6073da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080f8fd3d6073da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2496	ehRec.exe
2016	aspnet_state.exe
2016	aspnet_state.exe
2016	aspnet_state.exe
2016	aspnet_state.exe
2016	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2180	751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: 33	1064	EhTray.exe
Token: SeIncBasePriorityPrivilege	1064	EhTray.exe
Token: SeDebugPrivilege	2496	ehRec.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: 33	1064	EhTray.exe
Token: SeIncBasePriorityPrivilege	1064	EhTray.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeDebugPrivilege	2516	alg.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2016	aspnet_state.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeRestorePrivilege	2232	msiexec.exe
Token: SeTakeOwnershipPrivilege	2232	msiexec.exe
Token: SeSecurityPrivilege	2232	msiexec.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeBackupPrivilege	788	vssvc.exe
Token: SeRestorePrivilege	788	vssvc.exe
Token: SeAuditPrivilege	788	vssvc.exe
Token: SeBackupPrivilege	2716	wbengine.exe
Token: SeRestorePrivilege	2716	wbengine.exe
Token: SeSecurityPrivilege	2716	wbengine.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeDebugPrivilege	2016	aspnet_state.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeManageVolumePrivilege	696	SearchIndexer.exe
Token: 33	696	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	696	SearchIndexer.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: 33	2772	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2772	wmpnetwk.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1884	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1064	EhTray.exe
1064	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1064	EhTray.exe
1064	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe
2104	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1656	1640	mscorsvw.exe	45
PID 1640 wrote to memory of 1656	1640	mscorsvw.exe	45
PID 1640 wrote to memory of 1656	1640	mscorsvw.exe	45
PID 1640 wrote to memory of 2292	1640	mscorsvw.exe	46
PID 1640 wrote to memory of 2292	1640	mscorsvw.exe	46
PID 1640 wrote to memory of 2292	1640	mscorsvw.exe	46
PID 1884 wrote to memory of 3068	1884	mscorsvw.exe	47
PID 1884 wrote to memory of 3068	1884	mscorsvw.exe	47
PID 1884 wrote to memory of 3068	1884	mscorsvw.exe	47
PID 1884 wrote to memory of 3068	1884	mscorsvw.exe	47
PID 1884 wrote to memory of 2160	1884	mscorsvw.exe	48
PID 1884 wrote to memory of 2160	1884	mscorsvw.exe	48
PID 1884 wrote to memory of 2160	1884	mscorsvw.exe	48
PID 1884 wrote to memory of 2160	1884	mscorsvw.exe	48
PID 1884 wrote to memory of 1716	1884	mscorsvw.exe	49
PID 1884 wrote to memory of 1716	1884	mscorsvw.exe	49
PID 1884 wrote to memory of 1716	1884	mscorsvw.exe	49
PID 1884 wrote to memory of 1716	1884	mscorsvw.exe	49
PID 1884 wrote to memory of 1700	1884	mscorsvw.exe	50
PID 1884 wrote to memory of 1700	1884	mscorsvw.exe	50
PID 1884 wrote to memory of 1700	1884	mscorsvw.exe	50
PID 1884 wrote to memory of 1700	1884	mscorsvw.exe	50
PID 1884 wrote to memory of 2640	1884	mscorsvw.exe	51
PID 1884 wrote to memory of 2640	1884	mscorsvw.exe	51
PID 1884 wrote to memory of 2640	1884	mscorsvw.exe	51
PID 1884 wrote to memory of 2640	1884	mscorsvw.exe	51
PID 1884 wrote to memory of 2912	1884	mscorsvw.exe	52
PID 1884 wrote to memory of 2912	1884	mscorsvw.exe	52
PID 1884 wrote to memory of 2912	1884	mscorsvw.exe	52
PID 1884 wrote to memory of 2912	1884	mscorsvw.exe	52
PID 1884 wrote to memory of 2192	1884	mscorsvw.exe	53
PID 1884 wrote to memory of 2192	1884	mscorsvw.exe	53
PID 1884 wrote to memory of 2192	1884	mscorsvw.exe	53
PID 1884 wrote to memory of 2192	1884	mscorsvw.exe	53
PID 1884 wrote to memory of 2108	1884	mscorsvw.exe	54
PID 1884 wrote to memory of 2108	1884	mscorsvw.exe	54
PID 1884 wrote to memory of 2108	1884	mscorsvw.exe	54
PID 1884 wrote to memory of 2108	1884	mscorsvw.exe	54
PID 1884 wrote to memory of 2004	1884	mscorsvw.exe	55
PID 1884 wrote to memory of 2004	1884	mscorsvw.exe	55
PID 1884 wrote to memory of 2004	1884	mscorsvw.exe	55
PID 1884 wrote to memory of 2004	1884	mscorsvw.exe	55
PID 1884 wrote to memory of 996	1884	mscorsvw.exe	56
PID 1884 wrote to memory of 996	1884	mscorsvw.exe	56
PID 1884 wrote to memory of 996	1884	mscorsvw.exe	56
PID 1884 wrote to memory of 996	1884	mscorsvw.exe	56
PID 1884 wrote to memory of 2044	1884	mscorsvw.exe	57
PID 1884 wrote to memory of 2044	1884	mscorsvw.exe	57
PID 1884 wrote to memory of 2044	1884	mscorsvw.exe	57
PID 1884 wrote to memory of 2044	1884	mscorsvw.exe	57
PID 1884 wrote to memory of 912	1884	mscorsvw.exe	58
PID 1884 wrote to memory of 912	1884	mscorsvw.exe	58
PID 1884 wrote to memory of 912	1884	mscorsvw.exe	58
PID 1884 wrote to memory of 912	1884	mscorsvw.exe	58
PID 1884 wrote to memory of 2708	1884	mscorsvw.exe	59
PID 1884 wrote to memory of 2708	1884	mscorsvw.exe	59
PID 1884 wrote to memory of 2708	1884	mscorsvw.exe	59
PID 1884 wrote to memory of 2708	1884	mscorsvw.exe	59
PID 1884 wrote to memory of 336	1884	mscorsvw.exe	60
PID 1884 wrote to memory of 336	1884	mscorsvw.exe	60
PID 1884 wrote to memory of 336	1884	mscorsvw.exe	60
PID 1884 wrote to memory of 336	1884	mscorsvw.exe	60
PID 1884 wrote to memory of 3020	1884	mscorsvw.exe	61
PID 1884 wrote to memory of 3020	1884	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe
"C:\Users\Admin\AppData\Local\Temp\751ae58b12668b0a0f8617c921a2ff7311bfb1c52bccc1dae0636f02230100e0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 250 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 1dc -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 1dc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 274 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 280 -NGENProcess 244 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 250 -NGENProcess 294 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1dc -NGENProcess 244 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 29c -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 2a0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 250 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b0 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 244 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 20c -NGENProcess 1ac -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 25c -NGENProcess 234 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 20c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1b8 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 26c -NGENProcess 20c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1ac -NGENProcess 20c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 25c -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 274 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 274 -NGENProcess 278 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 250 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 254 -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 294 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 28c -NGENProcess 298 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 264 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 264 -NGENProcess 234 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 234 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 234 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 25c -NGENProcess 2b0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2ac -NGENProcess 2b4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 2b8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b8 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a4 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 25c -NGENProcess 2c4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2b0 -NGENProcess 2c8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2b0 -NGENProcess 2bc -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 28c -NGENProcess 2b8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 25c -NGENProcess 234 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 28c -NGENProcess 2d0 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b8 -NGENProcess 2d4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 234 -NGENProcess 2d8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2b0 -NGENProcess 2a4 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2dc -NGENProcess 2e0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d0 -NGENProcess 2e4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e4 -NGENProcess 2c4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2ec -NGENProcess 2bc -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2dc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2c4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2e0 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e0 -NGENProcess 2b0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b8 -NGENProcess 304 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2b8 -NGENProcess 2bc -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2060

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1624

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1272

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2460

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1712

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:528

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:696
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2812
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
0377f8185a9b76606170d42b292a985a

SHA1
05e65ac27a627f7efcd9498cfbc5769b5e26de1b

SHA256
0e7484777aa697d56b1bd475716bd8ac6e50b811fcd73b4b972e1a68819c6a04

SHA512
66198f9492433a51a6565c065ff7e6dacd372571125e6ec9cbfe13930095be1f91bacc6c8f1a8bca4f7bb3a9dd956fb3980d11125ca8789de8b5d1da32ab10dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
5.0MB

MD5
3e23382d28b2e70d7e4515a34e616d24

SHA1
f5e39ff7d37ce92cbf1096f2f4d8103819bb1c5d

SHA256
426169acd0dcaa6875557aa83a902b0ed048162a8227dbed7c025553d57c2499

SHA512
4668d874099c1f7868da01e7ed7d5479835b534602443b833fcdc0b64c9319533b4bcfe525fbb63b2d3c8c5b6f7b330d96667d9a612d42c60991ec20d3a56f89

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
704KB

MD5
81035e4a0542a2f5c1ff975543cb3791

SHA1
b56dc204c19103a88647b25db8f88363a0dcbdfb

SHA256
75b6be05164315298f4c665f0a4cfffbc2a7fe59f1dd0ba656fa1bb6b332de4f

SHA512
6bb4903ac79ac8e5f84e246a24fc239ac46609ff6295097327dc3c04a9302646364657f5031adccbdd530676d758e8d8781077a46a99bc7c597f34f1f69118f7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
873997c90cc431ccf0ef7eadf50f3a17

SHA1
b709ef9787e943aefbe6a76c354626698e03aa8c

SHA256
d4ec0d784e4ef78c66ab85468dbe577c5418e5feb5651190a2aad7a28456794b

SHA512
17c0d0229c258e266f72a965195a1c6d09c17d49774eea4b798c54da401bb16f748d147a9cc9d80fb972d5ab5fec6480d580ae367c802b6f1177e854adee0440

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
256KB

MD5
4228185d6ea1e1be3ca4a279aee6711b

SHA1
62da0509e7b917b5dc7de03e8e79ee7c83b5e597

SHA256
866b13e106b80940db8e692980663a1073033abed6bbb8c0ca910a47d8d81edf

SHA512
bfb2896f8dc892575691fd99b1fc9259985e112d3b561acdd11107638e21258ecefa8f76ce0652ad994eb22c064e854de44bfad7e1a1d7d1b4219f4a6df6efe4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
62c018f2291a9e89765edfb4bf1d1441

SHA1
f75405b9a05b8971460f3cacca548215cc1cb6e1

SHA256
aef2e5dde4939cb8a77715851a76fb9c2f4eff1335a1f5551f94955a7adda3c4

SHA512
20b5c908a0aa51dc4af737a705f62020d6abbd84294d2a016119e895d3586e1c7b90a9114819dd60c9a478e73ed791968c3485e88241a10e33fb74657a4fd01e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
0b3a7eb6c9f30115d74e509f2e72821e

SHA1
9a1e5718d56ccad808b035f7b54f4b67a3d1ee55

SHA256
5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499

SHA512
33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
2e908e1b010537dae43580adb1c34467

SHA1
2d083a8f5317c472fa0df7a8acc9a9add5173661

SHA256
1220c51897c4e875213efa7afa4dd1563d1c6ee267e28f862cd542e01ce78411

SHA512
f4026a895f65534d6e317a3d118474b9e41dc8e5dd2cebf1a5d723fa1a9907ed26d0373c2c7df784cb8cfbe8df771d2fc7d5bb5fdb13d8914af06ff1af1c076d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
810KB

MD5
1eac356a50d02ad647eed5e2ad320522

SHA1
34b087a3b79b802252acbce69c0aa97f2237351a

SHA256
5cf1698ff1a074fe8dc448702362d8948eaf3d3eaf0fa51134975c65d0df206a

SHA512
d5a5ea665cd4b122f76fd5566e13c9128d3af3e896739d1df6d2a93fc723cf46d9a0acb54b1820ca248185e94a77f63c5ad17a00406d9a6ebb994d681e9b3c19

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
ac6e40f4fa314ed637be2745077a2de9

SHA1
7de358b785975372ee2684380bc22ab6fc4a4837

SHA256
a9e2ea2be3c56cdf7b70ab0207592d0cdb805baf49f778c1890afe588fcd5db0

SHA512
ac47fe9d6016accff2e7254d525e0a818c85e7a65d645b3094587e3e2c335d5aa802c79716a50ed2e2f884e7c0096ae8d6c8be0c1c28292ec35be91dcc045d76

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6d9136fb19a9ebbb31cc40bf5f9f6deb

SHA1
4d7a404f993660ff79c5f0c470816aa2cf2e5484

SHA256
bc6b925db8726f0b23c452dcbec5b7524677aeba851c4bb70495c955c0cb3b21

SHA512
95079f96f94fbc024ae9a67f775243f69221f38810555eb3ef673711c1e99eb677b54304987a8398a0ced63e7fe95464ca81210e8a34517c6d7a0c952dbb5aca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
9d98c18c16fb5185e866b463f5fc4880

SHA1
7ded106dac9c08835681d39fbc6b50a071690f91

SHA256
9926bf2f39146c402f5ea616eb0714708765481548836afc09a49de7daa9004a

SHA512
1c35088b75c7c1f66731da176311f685a3cb5eb3eb559fd970f8da86273b60df0b66cd85be5a57dcd51f5531ff318848eba0831bde49838174bfe06aa2057a99

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c909d41879de68824b27bfb2c74140f5

SHA1
4c800036f476988049e544435bc69ee313d10070

SHA256
700c9b0b9eecf90ec37e5b836f69b1066d158556b4b5305a14647542b54f8d9f

SHA512
4813bd331963f2fbb2f3c3219cd5cf0ac6f7dfe4bef21a3d6896decfc9e00f2582467aacfdc3c91f620e42841f17a79a7a750189b76c85bedc21536abd24e6ee

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
f051cda9aaf8660347a11b05610ab21b

SHA1
5fc38edccc71620f7a9078bb003cb7cbf24a58d4

SHA256
ea295425e019d2c65027f98e19704e0d5fff770eb787f7d682b0c0509d527c24

SHA512
9868fc3172dea2eb0d301fa0cbe90de6ec7a1436ae64f302c336a9c5dd0a27aa53eb51a144722768fa39d170ff7ddde1b3adbed7ff5d9907b0f4a43da44039f6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
da4212b6fcf9aa31a6773c107e7e924b

SHA1
29e3eea2aefa5cc89ab6538db7f310944daa9ac8

SHA256
e38cd7a2d85001950d2c8d4228492fded369abb63731f5f985cc885462bc0dba

SHA512
4eb495228bc3af590ba595f1bdbf43d239b348fc65c41390992105edd61aedeeaedb6d85771b6d475807b2d9bc35c7656a7a51373f79d92bb0f2ceef18ebc7de

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f65cb49d8e9eab5ffd4ecf1dafbfb264

SHA1
a7fd1fd44f7313aaa450e5e03180f413bbdfc743

SHA256
a7df61a918d8135c448a6ab5ca452e84aa66b9a1cfd3360a188f089a36f7a93c

SHA512
cd2d7fd0fb485bce98ecded9ab78a07adb0b1633cfb1e7dae1be874e03d8b7c01392c2c3fb43fea032defe0490fe22010be328d9f31aa3644708a0febdf9b102

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
723KB

MD5
f5936e97e2d72fcfffe2703073f402ee

SHA1
873c33ee64536ee188fc8330ad2210cb16e7079f

SHA256
400c0b434782c4fd6e0f85263de66897a7a964588ac13bb1815f5def4e7e3a4b

SHA512
7112514b9f276e5dc166f082377232b98f15c664fdbd391a615378049176012c83199a82f690f564a77b9530721360df7bce10659e42bb121c5049bcc8a2a356

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
69dd2a869fde0e5d4629d79d64584b22

SHA1
4b0deca983999890f985fd773bf7560180d15292

SHA256
5b0c2bb4a94c4972ce23f4a4778323adbeb37f3b477a1ff5018614e01a2c868d

SHA512
e1151edc429ce2badc73fdda9f28a4f4769d1d39c763cdd662f6441de5695545356615f72b81b908c65669b7fa25ecc69687ac06a9368491ce93bfc7e167d2bc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
805f18579e9b011b9ee7c0ea0a94e08f

SHA1
0d204efb845135a826364ff145af67d3da1b7ca3

SHA256
2ba1ecf66036b7c5603de65290a38195311e311436e4941c32a691e2380a475e

SHA512
ecfcf8d43c0e2fb095441c5cfa810ef56e5a6efc474d0a512ee8a8b8acdee4f2bfae6f91b45e9f83ea5ebc59359c778fce1bc1aedaca531c51f9a3bb0be24115

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
930KB

MD5
cfde8bfbcf5c5e596a81e51d0f253372

SHA1
b6411fe34732ae89ee60eca37b6e412ad56ab13b

SHA256
ca98cfccb59dc6243cdcf37fe0df181b3d02133b6a7c1cf10dbb14e5303b2f91

SHA512
327558efa8383f659404379abf83d87bfe40574bf2fcd65bac11901be9277ff438bcc70b8549885d4206c311fabde24766a516e94c09fc79a3099d449fc45c7f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
220KB

MD5
b1780132a2959b67960ddc270ba577ff

SHA1
1f29f8d722195b64cf396f4745df877f9421882f

SHA256
cc33034a9b9a0d83086431d83772fe140d6de67d773ef7ebc9bb0500d9141e9d

SHA512
316f376dd204fe6fbe1bba2d67aedf9e1866fd54c87539c6658acdaca75486dc65093837ca290b0034df5c86467c083cb07a780e0ea6cc1648e024419f2a4d64

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7128b68d0049e4818583485229a44618

SHA1
3464ab8df8900798550826227c8f54f3c810a74d

SHA256
a39ab8fb290099c76e54c0016df0f071cec46ce7ab59ae58285b9fdb1291b903

SHA512
bab70735c92e1f4c74c13f86bd6bb16ac99dff1ce85a1b10ac601e3814ce0fdb369ae5846c511e7bd9327b041fab1e8fb41200b933a64a08b4a6a50ba29b9be7

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
4cfc361a510fb85b4aef5479814f947b

SHA1
d3ea8025ffb1751040aa4cb0ca41894277e4856a

SHA256
7c58899ac210a6d6cb9e31868396e524342670340c4e18bf3e666f3c27f39f44

SHA512
f945aa85e19dacbfa05e679b5ee0ab43582ffb80c8348b22bd459c14eafafb36ea7b5100afa7c09ba7ae06917ccd199a9950f0aff46ef98c058d5170ce5c1e2b

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
46f0fa74ea3ab3f67279922d3c726e45

SHA1
f5dfb405af085c95282a9c30cd9600cea81d5e31

SHA256
4f24b5a2fd906d73e5bfdaf6f066f9f434fcd28bffe99b82c8d554fb795260e4

SHA512
8aa3abc8e6f34ff61564e0c1074de61de7844e61cdcc7397a2bd131b744abf089ce117120962311700ae629eabb2d3038bb3d30c1091e9f0be69c1c8e85e8b51

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\02e4d062b70e3928e0b7c879e676cec3\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
2d58ce907f0ac89c14c87b7ef167d8c8

SHA1
039133da9fd306d9794117c00034b4d8c4cea150

SHA256
38fbe1536dab71f13ed6abb528fdd0df0d279d61794a6786794bab6f031f41e3

SHA512
abf701a93513615f5c5879ec0a7acc9c37a5e553753a1eafda7cfd03dfe67fb931e4aa05437102221bdfff598b73665f438572e3f305ea489e2b21eefa4319e3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\55f36babf661097396a938b4321ad629\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
8fbb04671f82f246548312382630cd6b

SHA1
62f33b0009e8975478f5f84641751d251a4af1ee

SHA256
75ebc1932cd7d6556737fece65d2735217cdeb65ee1b12754825daf935a72af5

SHA512
94debef6f04871d90923fb7ef1c55fefcb6ec0071b8d13d341da945de68fc1798a726bc3c7a23a8d7791558a49a4ce97ee9ab4e4ab7ce9a6799359e4b2d24952

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\64b3c21480f82936e6ac11edd9c27cb0\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
c1631764801d6d9db9468879ed44e765

SHA1
f1b195300cad8bb116b282ce80010b7f5d99fec2

SHA256
97d35520f4795fa14d2da3cdb5f82b8c4be4f4e84cff0f69b954a585073c6419

SHA512
76e2d46ccbb84b4c49b42f39834df607a0aa89f2fade2ac4f9577f73ef19c2b00aa6f36d64358c6b3afd1de46894e61bfbc055019af6eac854087081ab639f8d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\aceb6739d0a5f1eca22983b9082b4476\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
4011befe865f41b95f05c0c5fa516819

SHA1
28f23b14f7feb1cd38fb4c351f27227d980cb6cf

SHA256
0e5041bf75083c842c0281ae3e648155238d4f5c2a0e42cd073d815b3875454d

SHA512
944425b29f8652ceb49b43fb72681ea86288e0709de541047a222acbfdb76496bc9ac18a149dcef45479e2544d297a34299b3c72cebd169c228032aa1057151f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
d4112231085a086ece47b5efd08792db

SHA1
de1743569e60b1b441ecac32b11ac069b7d4a583

SHA256
13beeaa59bd5551ff99c2b7a1718efb56946857d91b070c0ebbf9290fd72a93b

SHA512
3977cec33f2b473c19f60773c8bbc6a00ec6b91a4481d32381788eab9ea4f683cb194e29f6303bec1e361e611e6ada6f9c97d89456fec4e1a8ec574ea82d6705

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
00eafc52ff1f8779efe1eaa0813ba18a

SHA1
0f31c159c154efa7b1fd4a75f13438dac033319b

SHA256
451cc4a67145b37cfe8917ddbdd6704f7525939db08614901c102f051e26f92f

SHA512
aca42d933fad77276c68116da67b2dbe0d14d86388fb5324912cbbbf3d9bfb3885374c9655a58e4b7eb7d84f200a9ea6bad912f2df4de3ceb0f092d6ae19f1e7

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
e7de0489c68d3543d3f40e0410dfbf34

SHA1
1f087fe13720a2e44d12a98c3a9be9c64ce811fa

SHA256
58fd2e83bd4149f259ed21a943f4728146cb78e7960c0f1bfdb9d9cbee14f200

SHA512
44b2f895075d8b88312a87a3f1aba167b02b4b67847e818b7e222563fdf09db8ddbd657fa01ada8c3026d61b969efbff963370a43e7509c6f00f2dfe6e127015

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dc6528957cf2924e4d66cbdef1007466

SHA1
58a852cbafcab2f7754135e5a2b66f61df930728

SHA256
60219494657261c8d94f148011beb7d3900cbbc79817d439cc9019211a393c31

SHA512
2b6207197d8bade7b5df7441d5a69f92f62bc5b6e9abc01f8bc1d1fccab5158fdd5b2bd0f2131426c82506241529150aeed587e8f0bd7a4194f404e4e44d016b

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5c1c58723c52bce48a5713ea3266fd8c

SHA1
926fd508260204225f36029dfc7eb2ac73ad0bd3

SHA256
99b3bf0e3daf2508bf076c4f4b6ed7abced6ab3dc8d8d777bdc99c2ac57ddc6c

SHA512
5285d42fa7fd0a77cd4a743bffb70551f3cbe5d144437c28e9d38ef5306b006d47ca7b6588e6c20e901293cd8417f280e40b99c71d078bff208fbd9c9917bdeb

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9125d14e942b9548f2eea5940541e51e

SHA1
8f54ce1399f88e827035b92f94964f8b37c3e9c6

SHA256
2130ba949978b37bbad8940eabd969eae346da66edb84b015d7ea26eb32253aa

SHA512
f364c64ccf8e6e14980e00d8bfe3ec12a844f1e6554d7dd816a404bedb51b918a2b6f464c35ef5fda8878b5f21b191c43f8e1cfe1d5d2dfd58e2c790d22ecfca

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0f5b4792d1d5b1d57f48945fe01048cf

SHA1
6c9a8f29f90dd1ba27a6315c4b7435cc5bb28efd

SHA256
12c942d38673e47156b541ced997fed574792249717abd00c589f8ed4bb3aa8e

SHA512
3c9e84d99db83cd6e128e525a3f05c57ef957db0401245e901b5a635a26018518853d620e1fb234b2fed6a5b59c0170e731dd5dc940e2922789645efb55eb052

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2ad83cb7ffe6fe9864663d383b89a131

SHA1
f770f8d249cce3e33bb7707d77c39231ff565100

SHA256
31c7923a28d638ade97583f2c1d08a2e8826ed3c23c089e4d727bc3b4776eee6

SHA512
0743711b49da88f7ac515572de80bc2dc3c888bbbd428345181506046987c389b96133009d961b8c1c38a2994e167c18ad3eb0dd023552682635bfa0dfb1542c

Download Submit
memory/528-379-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/528-413-0x0000000073DC8000-0x0000000073DDD000-memory.dmp

Filesize
84KB

Download
memory/528-395-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/528-388-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1272-319-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1272-320-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1308-367-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1308-219-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1308-210-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1536-194-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1536-347-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1536-202-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1624-185-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1624-334-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1624-180-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1624-177-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1624-207-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1624-363-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1640-166-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/1640-161-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1640-158-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/1640-323-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1656-397-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1656-470-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1656-469-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1656-468-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1656-411-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-366-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1712-453-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1712-359-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1884-146-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1884-218-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1884-141-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1884-140-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1912-157-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1912-114-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1912-108-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1912-107-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2016-103-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2016-102-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2016-96-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2016-94-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2016-178-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2180-139-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2180-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2180-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2180-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2180-293-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2180-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2292-481-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-516-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2292-467-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2460-349-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2460-355-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2460-353-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2460-342-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-377-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2496-500-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/2496-393-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2496-318-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2496-299-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/2496-368-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/2496-322-0x000007FEF4440000-0x000007FEF4DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2496-502-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/2516-16-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2516-159-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2516-37-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2516-17-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2612-374-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2612-298-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2612-324-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2636-190-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2636-123-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2636-124-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2636-131-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2920-335-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/2920-333-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2920-391-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download