50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 15:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
Size

1.8MB
MD5

f18bcc0d87195b362ac4cb88d3f31803
SHA1

a92d2a56df8b57ccdcb180b5d64ab0c223742d99
SHA256

50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da
SHA512

c00ee21e6ec954f46bcc76e24938c841b2be605d2970d4a440b30c15cd74554b6208446d9daccc642c185d14785b9de29513cb24bc7b829c53d02b5233ee5149
SSDEEP

49152:7M9QPdxwfE7WlFwKAfzuTiDFUFk0iTTksy/vh7SHuU:71PdVQFwKZCFgqTTRyw/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
3064	alg.exe
2976	aspnet_state.exe
2132	mscorsvw.exe
1460	mscorsvw.exe
2000	mscorsvw.exe
1560	mscorsvw.exe
2452	ehRecvr.exe
604	ehsched.exe
448	elevation_service.exe
1368	IEEtwCollector.exe
1724	GROOVE.EXE
896	maintenanceservice.exe
2684	msdtc.exe
2840	msiexec.exe
2572	OSE.EXE
1384	OSPPSVC.EXE
2816	perfhost.exe
1700	locator.exe
1248	snmptrap.exe
1640	dllhost.exe
2588	mscorsvw.exe
2768	mscorsvw.exe
1120	mscorsvw.exe
500	mscorsvw.exe
2440	mscorsvw.exe
2688	mscorsvw.exe
2860	mscorsvw.exe
1340	mscorsvw.exe
1792	mscorsvw.exe
2396	mscorsvw.exe
1960	mscorsvw.exe
888	mscorsvw.exe
2788	mscorsvw.exe
1764	mscorsvw.exe
2440	mscorsvw.exe
1520	mscorsvw.exe
1812	mscorsvw.exe
2924	mscorsvw.exe
1792	mscorsvw.exe
1152	mscorsvw.exe
1176	mscorsvw.exe
1588	mscorsvw.exe
2692	mscorsvw.exe
2680	mscorsvw.exe
1916	mscorsvw.exe
1520	mscorsvw.exe
1980	mscorsvw.exe
2012	mscorsvw.exe
2692	mscorsvw.exe
1512	mscorsvw.exe
2948	mscorsvw.exe
1044	mscorsvw.exe
2552	mscorsvw.exe
2312	mscorsvw.exe
2480	mscorsvw.exe
2612	mscorsvw.exe
2192	mscorsvw.exe
1212	mscorsvw.exe
2352	mscorsvw.exe
1572	mscorsvw.exe
2268	mscorsvw.exe
2164	mscorsvw.exe
2312	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2840	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
2948	mscorsvw.exe
2948	mscorsvw.exe
2552	mscorsvw.exe
2552	mscorsvw.exe
2480	mscorsvw.exe
2480	mscorsvw.exe
2192	mscorsvw.exe
2192	mscorsvw.exe
2352	mscorsvw.exe
2352	mscorsvw.exe
2268	mscorsvw.exe
2268	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
1032	mscorsvw.exe
1032	mscorsvw.exe
1536	mscorsvw.exe
1536	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
624	mscorsvw.exe
624	mscorsvw.exe
2936	mscorsvw.exe
2936	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
2036	mscorsvw.exe
2036	mscorsvw.exe
1816	mscorsvw.exe
1816	mscorsvw.exe
2620	mscorsvw.exe
2620	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ce39d16678a61a12.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\System32\msdtc.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\system32\msiexec.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT3C9.tmp	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C8.tmp\goopdateres_zh-CN.dll	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C8.tmp\goopdateres_cs.dll	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C8.tmp\goopdateres_fi.dll	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C8.tmp\goopdateres_ms.dll	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C8.tmp\goopdateres_te.dll	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C8.tmp\psuser.dll	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C8.tmp\goopdateres_ur.dll	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C8.tmp\goopdateres_sv.dll	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehRecvr.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDAE4.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F89C8F14-817A-472C-93DA-7134661977EB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE0BE.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F89C8F14-817A-472C-93DA-7134661977EB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP35B.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF4BB.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1340	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	868	50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: 33	860	EhTray.exe
Token: SeIncBasePriorityPrivilege	860	EhTray.exe
Token: SeDebugPrivilege	1340	ehRec.exe
Token: 33	860	EhTray.exe
Token: SeIncBasePriorityPrivilege	860	EhTray.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeSecurityPrivilege	2840	msiexec.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeDebugPrivilege	3064	alg.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeDebugPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
860	EhTray.exe
860	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
860	EhTray.exe
860	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2588	1560	mscorsvw.exe	50
PID 1560 wrote to memory of 2588	1560	mscorsvw.exe	50
PID 1560 wrote to memory of 2588	1560	mscorsvw.exe	50
PID 1560 wrote to memory of 2768	1560	mscorsvw.exe	51
PID 1560 wrote to memory of 2768	1560	mscorsvw.exe	51
PID 1560 wrote to memory of 2768	1560	mscorsvw.exe	51
PID 1560 wrote to memory of 1120	1560	mscorsvw.exe	52
PID 1560 wrote to memory of 1120	1560	mscorsvw.exe	52
PID 1560 wrote to memory of 1120	1560	mscorsvw.exe	52
PID 2000 wrote to memory of 500	2000	mscorsvw.exe	53
PID 2000 wrote to memory of 500	2000	mscorsvw.exe	53
PID 2000 wrote to memory of 500	2000	mscorsvw.exe	53
PID 2000 wrote to memory of 500	2000	mscorsvw.exe	53
PID 2000 wrote to memory of 2440	2000	mscorsvw.exe	54
PID 2000 wrote to memory of 2440	2000	mscorsvw.exe	54
PID 2000 wrote to memory of 2440	2000	mscorsvw.exe	54
PID 2000 wrote to memory of 2440	2000	mscorsvw.exe	54
PID 2000 wrote to memory of 2688	2000	mscorsvw.exe	55
PID 2000 wrote to memory of 2688	2000	mscorsvw.exe	55
PID 2000 wrote to memory of 2688	2000	mscorsvw.exe	55
PID 2000 wrote to memory of 2688	2000	mscorsvw.exe	55
PID 2000 wrote to memory of 2860	2000	mscorsvw.exe	56
PID 2000 wrote to memory of 2860	2000	mscorsvw.exe	56
PID 2000 wrote to memory of 2860	2000	mscorsvw.exe	56
PID 2000 wrote to memory of 2860	2000	mscorsvw.exe	56
PID 2000 wrote to memory of 1340	2000	mscorsvw.exe	57
PID 2000 wrote to memory of 1340	2000	mscorsvw.exe	57
PID 2000 wrote to memory of 1340	2000	mscorsvw.exe	57
PID 2000 wrote to memory of 1340	2000	mscorsvw.exe	57
PID 2000 wrote to memory of 1792	2000	mscorsvw.exe	58
PID 2000 wrote to memory of 1792	2000	mscorsvw.exe	58
PID 2000 wrote to memory of 1792	2000	mscorsvw.exe	58
PID 2000 wrote to memory of 1792	2000	mscorsvw.exe	58
PID 2000 wrote to memory of 2396	2000	mscorsvw.exe	59
PID 2000 wrote to memory of 2396	2000	mscorsvw.exe	59
PID 2000 wrote to memory of 2396	2000	mscorsvw.exe	59
PID 2000 wrote to memory of 2396	2000	mscorsvw.exe	59
PID 2000 wrote to memory of 1960	2000	mscorsvw.exe	60
PID 2000 wrote to memory of 1960	2000	mscorsvw.exe	60
PID 2000 wrote to memory of 1960	2000	mscorsvw.exe	60
PID 2000 wrote to memory of 1960	2000	mscorsvw.exe	60
PID 2000 wrote to memory of 888	2000	mscorsvw.exe	61
PID 2000 wrote to memory of 888	2000	mscorsvw.exe	61
PID 2000 wrote to memory of 888	2000	mscorsvw.exe	61
PID 2000 wrote to memory of 888	2000	mscorsvw.exe	61
PID 2000 wrote to memory of 2788	2000	mscorsvw.exe	62
PID 2000 wrote to memory of 2788	2000	mscorsvw.exe	62
PID 2000 wrote to memory of 2788	2000	mscorsvw.exe	62
PID 2000 wrote to memory of 2788	2000	mscorsvw.exe	62
PID 2000 wrote to memory of 1764	2000	mscorsvw.exe	63
PID 2000 wrote to memory of 1764	2000	mscorsvw.exe	63
PID 2000 wrote to memory of 1764	2000	mscorsvw.exe	63
PID 2000 wrote to memory of 1764	2000	mscorsvw.exe	63
PID 2000 wrote to memory of 2440	2000	mscorsvw.exe	64
PID 2000 wrote to memory of 2440	2000	mscorsvw.exe	64
PID 2000 wrote to memory of 2440	2000	mscorsvw.exe	64
PID 2000 wrote to memory of 2440	2000	mscorsvw.exe	64
PID 2000 wrote to memory of 1520	2000	mscorsvw.exe	65
PID 2000 wrote to memory of 1520	2000	mscorsvw.exe	65
PID 2000 wrote to memory of 1520	2000	mscorsvw.exe	65
PID 2000 wrote to memory of 1520	2000	mscorsvw.exe	65
PID 2000 wrote to memory of 1812	2000	mscorsvw.exe	66
PID 2000 wrote to memory of 1812	2000	mscorsvw.exe	66
PID 2000 wrote to memory of 1812	2000	mscorsvw.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe
"C:\Users\Admin\AppData\Local\Temp\50866c24c99f437b26b3c4739f5c1f8535f2915dc4820dc6d2bfe3f6f90811da.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 1f4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 254 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 1f4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e4 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e4 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 1e4 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1e4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 1e4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 288 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 2a4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 248 -NGENProcess 2a0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a8 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 200 -NGENProcess 1e0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 254 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 200 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 1e0 -NGENProcess 244 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 204 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1b4 -NGENProcess 278 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 280 -NGENProcess 204 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 248 -NGENProcess 288 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 290 -NGENProcess 288 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1e0 -NGENProcess 298 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e0 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 2a0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 248 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 204 -NGENProcess 2a8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 29c -NGENProcess 2a0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:1284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b0 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 204 -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 2a4 -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 2bc -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 280 -NGENProcess 2c4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 2cc -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2d0 -NGENProcess 2c0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b4 -NGENProcess 2d4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2a4 -NGENProcess 2dc -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2e0 -NGENProcess 2c0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c4 -NGENProcess 2e4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2cc -NGENProcess 2ec -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 2fc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f8 -NGENProcess 304 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 304 -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2c0 -NGENProcess 30c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 30c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f4 -NGENProcess 31c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 320 -NGENProcess 304 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c0 -NGENProcess 324 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2fc -NGENProcess 370 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 37c -NGENProcess 324 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 2c0 -NGENProcess 384 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 388 -NGENProcess 324 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 394 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 374 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 324 -NGENProcess 39c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 394 -NGENProcess 3a0 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a4 -NGENProcess 39c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 384 -NGENProcess 3ac -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3b0 -NGENProcess 384 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a8 -NGENProcess 324 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3a4 -NGENProcess 384 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 390 -NGENProcess 3b8 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3bc -NGENProcess 384 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 3b4 -NGENProcess 3c0 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b4 -NGENProcess 304 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c8 -NGENProcess 3c0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c0 -NGENProcess 3a4 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 3b8 -NGENProcess 3d0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 304 -NGENProcess 3d4 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3a4 -NGENProcess 3d8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3dc -NGENProcess 3d4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3b8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3c0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3e0 -NGENProcess 3ec -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3e0 -NGENProcess 3d0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 3f0 -NGENProcess 3f4 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2700

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2452

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:604

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:448

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1368

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2572

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5a51e1f38990e8557fa1b78748667639

SHA1
e9f8555d081bca49d042a5622639920c4a0ec312

SHA256
2acc5c17e84998614d444aefebb811cb1eb354ac332791c8d1b4ef4183d4a8e5

SHA512
8658c6e36c0ac94e1fbf9af0e2dedcbb27be6b4b864032a8a6baf72901f945275966e16a864d6e4fbf35c567cd4a786118eaceb7a17da04ad7e5df377f893937

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
5bd63fbbf168f1a5495fd106c448ee10

SHA1
0b84deecfbec1613c793af5407ff46325b0f8a9b

SHA256
94f8b7ba2137107d7f1d46f72e59e092c89dc2e1a1d5294828c19024f8734dd7

SHA512
54e3edcaf74affb4f93e83164c244d78e264828fccd64489a23ca53a6d6fffb42478bd8fccdc7ef77d52f16252d72c33b34c3b4d267acedb514013263cb8e0f0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dacf473232f3bad42d7dcc0fcc47855a

SHA1
5e5de30fbd2214161da5cdfa98c9058f1d98b639

SHA256
a585d3dacc3a77c8d19ca01e438f596d1c95fee9d6f2196c1fe7a4e3f7ae3e8f

SHA512
e27b5cd0587ad7d6f231c872903ce1836398e2da53af448eb7ff8b5f3b7694b2cd3647f438abe5ae336915e6e729f83c2f0b13b1daccbe7721f5e8437fd88997

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
bfbb69806e9186b91a7a2a34e16decec

SHA1
c3029d2dd9f295066c9ed6b6867c8a941ff6f06d

SHA256
c3d291527a4f1311bc057c8e7e1c1dad8cb347cf6f37b00868fe73c887e638f3

SHA512
f5d0540d22bdfd1a66260bbf90a2865649ba6e6d895e4b848a35f863ddbeb717e662dd550e997ad9a77cecc018666ccb7e9c93e6d5eeafbffb17231a968c8657

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b6f08f46fa6c2f10686d3d38bc19d6c0

SHA1
2b91528f3de8ac57feb9ad022f894efa3bfd815f

SHA256
57b4c2e19b2edf55dafa95a39e077c44ae26176948e55f29eeb1e8d2adf8350f

SHA512
b099933519ddd60d30e2d35cf1efb469566321ee45a9e3d1a02107f11a0f17fbb269a4f8783668da4fcf89d56937fe5ccbfedbddb02ea5ca90a3ac7a7076d96d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d7796bf265409c4c31b2053b35379f2e

SHA1
37bbc2fe534a65d20630fbe0cb6f77d4f31c7507

SHA256
72a594330c42149398c8f24ccb80637a0efb5a77aa97fbbb41d05e8eedc5c68a

SHA512
5bae786e53bfce17324e9b19f0b7cf6c4559c9ad0300a2d958605a76bc665f6ce5530adf768cee4cea80c5e7c4f44504b818c52d424d97cc6eed0426bc015f4b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4058b4bcbcecfa318c2b2bf984517c4c

SHA1
b059d6dc7fd9399881e87db34f285649be9914da

SHA256
32b8b4025efade1e1b1c8615aaa221ccd60bad9fe328f1500f05f081101ee1bf

SHA512
13e23b3e36029ace581a6bbde530cdd111c80027f16d347ff6db372da2667734fdd7f5ef4a52b3644ad0f11e6b5f542386836f609ab1a2548a7dbef8e393a8bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
aabd88ebbd5d184aee3b2af06dbb59be

SHA1
abffa524416babf994528df5c03bdca4ec549944

SHA256
461f02262f5708c5f3c35058971e3690b342fa3a7300ebd604d9a3b43ce6a429

SHA512
47aeb6c39c1deca44c533f1300486b7200780e2c581835dbf32497abf0599ae833d719436a5db5462a9b4ca9899f019c40506d641e036867ab6762ad28bfcffd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
1da6f2e9e809019c93fe63d60c47f965

SHA1
6eabfbcc41b0d9733e5d346624ca6fd5478e92cf

SHA256
3512b0d32950e655c55806951a19998ca72c44327d4d047de91cc0d730a226d8

SHA512
79f2c07b8e15ee0e1d2a4e4eda0d75ec5780b5e1fccfb93b53e37e2c6e542650c3eab5deda368938a2da40e7b676b59f7b82e2ac9f15a004d470cc68dbe8a417

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
266de0e19ba77aee7c816ec1701f5a29

SHA1
7a72d71d03d3e0634b282b8b2177f701a8afa495

SHA256
9fb743393a18b39b6659ad080804d4faac1d553568bc03a2658b3abf30a197e9

SHA512
1d6b26c1026860d4f1f02f50b673e651fbc8ba50f1560c4fabffa66507483caad8d1b3367fc4454f427cd3a457af9286f7b670db97914e541579796cbeb0175a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
4cc241aa680121235a937bff50863dd8

SHA1
3b07228c15903615e52e9e0dcbe6926469e3efa8

SHA256
7117c5aabe117f5d750f5b1fc0da6b7157da900290376f521222bad388156a0d

SHA512
d37c7e0007e8ee09fbd29c6b9e99a52db2eb24c4ced2d870bbf7dfdaac8cb7220c9740bd020db721297d7dc92d46b98e3f0c6ce8743adfd9275c18d7a8efa47e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
cb1750ffb9d8a397aa5db091fd3e3b3b

SHA1
cdbbbca6c7cb5ac4934b8430be1c65b368cc78f9

SHA256
7b937a6520290d905f8854e7ed3bf774d6a079ea324f6a1929dbf677e04bfe2d

SHA512
07a50f0a5d31ff390f5987c20b466961bf557454bd82d2ba03716d2f26f85c0b5026f94df552a3c3a1c2200ba56eee622b2ea18e5ae299adf450b329813e8c02

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
0b78e2fa703b9ce7fef8cd6a313d4c10

SHA1
8ae6249344a179eb87bd4b29ce1f6014b0564560

SHA256
e7f0f2df5f5fc85d1d48d089750daed536fb777524582be10187ad60ca8828c1

SHA512
ec0df05409ab21dac8940a19c55fa197a5dad511bd779b4969e5bafa1aef15f21f6bedac220b5fc920bce762d8f38a8579cbdaee06cb3dbc76040e0dc9429b1f

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
a92e1523c9506451619b8843bdf0db1f

SHA1
9ba7fd8aa30bd3f06c474b9047fec33f39ba20d8

SHA256
ef29fb03070c4ded2dd7c81c6d15de1febb4c9a7304f387c86dac8c2b070affb

SHA512
cab8649f8f6bb56cb666c21d28026619e73fa97a5eea74606376f0a22060cee07d90cd7151536d048612178f669ca9fa8386475a33f46814c3d4d3b54cfe9573

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\358ffbb5256bbcb8cc91e1bd4fa4c957\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
8facf5b51a5b46b91f670a13a9e0b6e3

SHA1
3c7c840682bfda45936a6eb215a63070d4cc2130

SHA256
ed8dc5e220a0e1dc24c07245ae11e67d4449b95b8e61fc9cddde0756ea449eca

SHA512
7014588d881a6562d06b2bd528d348d11dc9743d8a0bd14f30079ebeca85e2bba6880ea17c99bf2ad36d4767bd5dbb3744572efcc8081a7bc55d7d8647fcc190

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5f08c5d09c60fae28de6a5560458f380\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
15d7f225ba9c8ae426b7200be11735bd

SHA1
747be19eede8e30a0655d6d696df540f30148b8a

SHA256
567e648891108be0e00a1d325c72c369198ce6078e586da96c56991995ad9a72

SHA512
8bea3f03269428396e9d8488f84591036844936279e0b0743def9569426ea3331813ca00115efe72a29537aa5738dc8601297f98e3ddf88369620f1708ffc233

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a5f235d57c3018bcb1786b58f1791dc7\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
7e11cc88f7681932f04dc4aff794d662

SHA1
4d753c4e3d0c3d95e6594084d8a9aebfd740359e

SHA256
f025af4dc4979944a4b694e1bc15bf3eb4f5ec028f16999263289ab2c90875f5

SHA512
fbb3e5d03d833f961c81a64ad85afb458be764a00e41ce6dbf6847225195e254575a5466b33e3672dc87c72ef7213246bf49098e5f72d79654b6e9aa55aede0c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b403f61dd0632c9bcbf83640bcaca3ca\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
b2093df8631fcc5f66830a6f5401a8f2

SHA1
97b65d15f438c74a02de7abe391347c1de9a1248

SHA256
886996d2cad9a1acef2b0f020daa81923a638079601590ff295322172a1c17e4

SHA512
1f116372e7a541f92fec451e76b97992c2fb050aa0912805fba3fb6cfe8ac5772b3ba37ff008dc675ec378486cd6921f69b56a1d64c56486a4ab3b3f83dc9e98

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
128a0650e7b850fd4a8b194d6a12045e

SHA1
a44034e3e046b69ada6a4716f940e8f2f9e2f18a

SHA256
32b9a0c9b339f8fb64b184c072e6bf97542cd25e8b8ce0054b0efc7c149104c3

SHA512
12042b13a3c44c9a5e8b7fb9a1508d8b9787460854604eecb09c82bf95926cb4c2275748013b67329fddd237aa192e2d28487f94495a70622e2d55851b82a5cc

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
0d7dded0ea9723be19d22370bf9e400e

SHA1
8d0c66f40442c650c2a52a4276f8b15bbdc3f0d0

SHA256
be3857186f00b2055c9d15efd51189200940ea116892475be45f9ed667ea2254

SHA512
37af48a6e61d80d1b84806593dc5349344c5661109a49b30ab9ab4cd15a61c4bd5bd4d85a5d2e36e997b26afa570e95f9e302c046f6cea8605978067b7c8d0f8

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c37d7814583944a27dcfd220cce9b3b2

SHA1
6cd1f2be4081a7cb57d3476661507d9b710b86ce

SHA256
2b182f24e731501c274eb156d536f8c4a097b26f871db503cb75d7575a7a6419

SHA512
fbefdd0c03da590f3ee24707826b86c4388823c3df884b5a8773ece46abfe1b73a84babeff5213e469d7c42636224d25634780aa41502f8a2e0a3ad3a74c92ec

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
7d2565e4a45be9df0a14cf6141e76d05

SHA1
11b0bddc2c177ecadaa739b71842775239afd4fb

SHA256
149e37d0a10b8111e57415951100003f3419a5e7ce7afe5b676228044cc4a003

SHA512
78e8cbe2bd3882b63d83ff8cddae100b2257408498d82721d4aa02d64a94413667a5dc46424789e34fc737d02408260365e56ebbf1c74f3066cfb66ea985c40f

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c96d8201ec2a9d4d84369ca48a5a6b58

SHA1
d56e6afc19dd6db95f9f15b71a5f97a0c9ee14c5

SHA256
83b3045c29fc0707c647efe897d7e0ad4cdb739461419b4f456c372bf43aa3f7

SHA512
02be244cb567f64bcc2eef92b73dfc6243257463af7293cd1f1e49e10cdba323cc470eb47255a659b6ab3c64fc4807efbf1adc1c8cd35c5c64c6c3184f682e46

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8b884f9c5bb5ee1c78c07eb21b9f0451

SHA1
370fdad55612a6d13474bbc083211fc8f6b4c901

SHA256
7356026d04e05f1d3544cad542db3e36b8726d5be540c7d98fc3bc7903096999

SHA512
991eb05040ba2e7fb54073c640ce8cf6f89ae5feb723c5aa5671830f323b6e146dc843a1ee3351edbdf991091468bd9165a3c43b782c86d8811f68ea98b251c0

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b62902ba03da9d8c40ef767c85f702d5

SHA1
0fd8913028b4970faccc54e0b7be7d7fa713ef4e

SHA256
d0ec642ad4966e77abbf73fbf6dd15e418d6f6c76365149edd2d2289b84637a6

SHA512
766272a5548715066aa03f9181e6f6a5c0464c9ea4be53965b2492dc91660824e0921406f4051308aa9a5499090bec62b10bc0370a3201e48df992c5750afb0d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
e0d55947feedc9cb8ceb3fbd1ba4532b

SHA1
cd3b950ac30676a69dba53686713dbc005afe1db

SHA256
503e8f6d0f9aa65c54a68c40393fdd657f17aedd2778c2e49e17d353a5f57615

SHA512
9a4eb4322712bef807b5f29ffcf80625276a670972f8e6053456735d490873947b599ecebabe26217558474fd2252c90b0bbb6f6cf99bfb2fb8eba01981c0c51

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cbb3fc134190001a86381504a96be59e

SHA1
3ad86579a24d206172ed6a05513c080d561a47c3

SHA256
2bab7e527abb2adb2cb0cbaa6ba8f7c48fabb61c3f1ea53c47e05e4cbde51770

SHA512
bfce471ef13be1373a1be95a2d7b988caf5da7a27bb684a7b3708b633051b2bfefd6f5d8ee6e5366702be65db4b9a58fd88d48a6320a5970964cdc12ea103ad0

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ddc75d83fedc06f8255377473a3f0002

SHA1
8a9ca18f0b5e0d463f20b68bcc943e627dba62d8

SHA256
426d1c58d2a7a5f5e8735f9a924a8beda5b43f71135fb115abfa6b9e6bff16fd

SHA512
cd59cd80bf6181f1594527848c9c60ec492fca4c090a287140861309ab36e3a7164f7f557cf73fc4c2882bcb36299191f2d83104db3b2d9e6cf695ec8098633d

Download Submit
memory/448-198-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/448-192-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/448-270-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/448-191-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/604-175-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/604-179-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/604-182-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/604-242-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/604-183-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/868-139-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/868-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/868-1-0x0000000001E40000-0x0000000001EA6000-memory.dmp

Filesize
408KB

Download
memory/868-6-0x0000000001E40000-0x0000000001EA6000-memory.dmp

Filesize
408KB

Download
memory/896-263-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/896-264-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/896-243-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/896-234-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1340-218-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

Filesize
9.6MB

Download
memory/1340-280-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

Filesize
9.6MB

Download
memory/1340-289-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/1340-294-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

Filesize
9.6MB

Download
memory/1340-251-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/1340-340-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/1340-213-0x0000000000FA0000-0x0000000001020000-memory.dmp

Filesize
512KB

Download
memory/1340-212-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

Filesize
9.6MB

Download
memory/1368-214-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1368-215-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1368-292-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1384-315-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1384-316-0x0000000073BA8000-0x0000000073BBD000-memory.dmp

Filesize
84KB

Download
memory/1384-312-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1384-307-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1460-113-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/1460-158-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/1560-148-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1560-142-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1560-140-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1560-216-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1700-334-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1700-344-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/1724-223-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1724-305-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1724-230-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2000-120-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2000-121-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2000-127-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2000-200-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2132-103-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2132-98-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2132-97-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2132-133-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2452-161-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2452-162-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2452-168-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2452-169-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2452-188-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2452-187-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2452-189-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2452-228-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2452-257-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2572-338-0x000000002E000000-0x000000002E161000-memory.dmp

Filesize
1.4MB

Download
memory/2572-298-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/2572-297-0x000000002E000000-0x000000002E161000-memory.dmp

Filesize
1.4MB

Download
memory/2684-259-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2684-248-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/2684-318-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/2816-322-0x0000000001000000-0x0000000001142000-memory.dmp

Filesize
1.3MB

Download
memory/2816-327-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/2840-271-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/2840-282-0x00000000006B0000-0x000000000080E000-memory.dmp

Filesize
1.4MB

Download
memory/2840-283-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2840-331-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/2840-336-0x00000000006B0000-0x000000000080E000-memory.dmp

Filesize
1.4MB

Download
memory/2976-174-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2976-87-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3064-160-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/3064-39-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3064-52-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3064-13-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/3064-12-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download