0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
Size

1.8MB
MD5

626c977d19e9e9a6ab57ca614fd3e465
SHA1

c73a16970558c67a21aa001d69225a9963cc2f82
SHA256

0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f
SHA512

a6d1eac310d62efacca5fd5021807c2fcfd5e7e2cc3a3726d6e5f1d481308b0e17b1eaf46fe67929e0c4926731ba16c082e77a91ed9378b12670c5d5971ee057
SSDEEP

49152:+x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA2f9Ckt7c20+9qNxUW:+vbjVkjjCAzJVfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2524	alg.exe
1896	aspnet_state.exe
2824	mscorsvw.exe
1704	mscorsvw.exe
332	mscorsvw.exe
2300	mscorsvw.exe
1992	ehRecvr.exe
1040	ehsched.exe
1952	elevation_service.exe
1264	GROOVE.EXE
2532	mscorsvw.exe
1080	mscorsvw.exe
804	mscorsvw.exe
2332	mscorsvw.exe
2104	mscorsvw.exe
2848	mscorsvw.exe
1380	mscorsvw.exe
2888	mscorsvw.exe
1164	mscorsvw.exe
3032	mscorsvw.exe
1544	maintenanceservice.exe
2536	mscorsvw.exe
2388	mscorsvw.exe
1168	OSE.EXE
2796	mscorsvw.exe
412	OSPPSVC.EXE
1904	mscorsvw.exe
2716	mscorsvw.exe
2288	mscorsvw.exe
2688	mscorsvw.exe
1344	mscorsvw.exe
1900	mscorsvw.exe
2848	mscorsvw.exe
1988	mscorsvw.exe
1904	mscorsvw.exe
1164	mscorsvw.exe
2392	mscorsvw.exe
2288	mscorsvw.exe
2444	dllhost.exe
804	IEEtwCollector.exe
2804	msdtc.exe
1392	msiexec.exe
2716	perfhost.exe
2528	locator.exe
1684	snmptrap.exe
404	vds.exe
2312	vssvc.exe
1736	wbengine.exe
1972	WmiApSrv.exe
2084	wmpnetwk.exe
2404	SearchIndexer.exe
2704	mscorsvw.exe
1244	mscorsvw.exe
2340	mscorsvw.exe
1460	mscorsvw.exe
1408	mscorsvw.exe
1444	mscorsvw.exe
1164	mscorsvw.exe
2576	mscorsvw.exe
2224	mscorsvw.exe
2676	mscorsvw.exe
348	mscorsvw.exe
2928	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1392	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
740	Process not Found
1408	mscorsvw.exe
1408	mscorsvw.exe
1164	mscorsvw.exe
1164	mscorsvw.exe
2224	mscorsvw.exe
2224	mscorsvw.exe
348	mscorsvw.exe
348	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe
2308	mscorsvw.exe
2308	mscorsvw.exe
2472	mscorsvw.exe
2472	mscorsvw.exe
2492	mscorsvw.exe
2492	mscorsvw.exe
292	mscorsvw.exe
292	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe
776	mscorsvw.exe
776	mscorsvw.exe
2896	mscorsvw.exe
2896	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe
348	mscorsvw.exe
348	mscorsvw.exe
2684	mscorsvw.exe
2684	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
2676	mscorsvw.exe
2676	mscorsvw.exe
1872	mscorsvw.exe
1872	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ea3c64f878a61a12.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1E3A.tmp\goopdateres_no.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1E3A.tmp\GoogleUpdateCore.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1E3A.tmp\goopdate.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1E3A.tmp\goopdateres_vi.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT1E3B.tmp	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1E3A.tmp\goopdateres_ja.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1E3A.tmp\goopdateres_kn.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD394.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBE9E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDE3E.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC477.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{57F0EB07-2110-4B73-89A9-E72D3125BE69}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{57F0EB07-2110-4B73-89A9-E72D3125BE69}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCBC7.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2552	ehRec.exe
1896	aspnet_state.exe
1896	aspnet_state.exe
1896	aspnet_state.exe
1896	aspnet_state.exe
1896	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2972	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: 33	1720	EhTray.exe
Token: SeIncBasePriorityPrivilege	1720	EhTray.exe
Token: SeDebugPrivilege	2552	ehRec.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: 33	1720	EhTray.exe
Token: SeIncBasePriorityPrivilege	1720	EhTray.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeDebugPrivilege	2524	alg.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1896	aspnet_state.exe
Token: SeRestorePrivilege	1392	msiexec.exe
Token: SeTakeOwnershipPrivilege	1392	msiexec.exe
Token: SeSecurityPrivilege	1392	msiexec.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe
Token: SeBackupPrivilege	1736	wbengine.exe
Token: SeRestorePrivilege	1736	wbengine.exe
Token: SeSecurityPrivilege	1736	wbengine.exe
Token: SeDebugPrivilege	1896	aspnet_state.exe
Token: 33	2084	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2084	wmpnetwk.exe
Token: SeManageVolumePrivilege	2404	SearchIndexer.exe
Token: 33	2404	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2404	SearchIndexer.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe
Token: SeShutdownPrivilege	2300	mscorsvw.exe
Token: SeShutdownPrivilege	332	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1720	EhTray.exe
1720	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1720	EhTray.exe
1720	EhTray.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe
2344	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 2532	332	mscorsvw.exe	40
PID 332 wrote to memory of 2532	332	mscorsvw.exe	40
PID 332 wrote to memory of 2532	332	mscorsvw.exe	40
PID 332 wrote to memory of 2532	332	mscorsvw.exe	40
PID 332 wrote to memory of 1080	332	mscorsvw.exe	41
PID 332 wrote to memory of 1080	332	mscorsvw.exe	41
PID 332 wrote to memory of 1080	332	mscorsvw.exe	41
PID 332 wrote to memory of 1080	332	mscorsvw.exe	41
PID 332 wrote to memory of 804	332	mscorsvw.exe	42
PID 332 wrote to memory of 804	332	mscorsvw.exe	42
PID 332 wrote to memory of 804	332	mscorsvw.exe	42
PID 332 wrote to memory of 804	332	mscorsvw.exe	42
PID 332 wrote to memory of 2332	332	mscorsvw.exe	43
PID 332 wrote to memory of 2332	332	mscorsvw.exe	43
PID 332 wrote to memory of 2332	332	mscorsvw.exe	43
PID 332 wrote to memory of 2332	332	mscorsvw.exe	43
PID 332 wrote to memory of 2104	332	mscorsvw.exe	44
PID 332 wrote to memory of 2104	332	mscorsvw.exe	44
PID 332 wrote to memory of 2104	332	mscorsvw.exe	44
PID 332 wrote to memory of 2104	332	mscorsvw.exe	44
PID 332 wrote to memory of 2848	332	mscorsvw.exe	45
PID 332 wrote to memory of 2848	332	mscorsvw.exe	45
PID 332 wrote to memory of 2848	332	mscorsvw.exe	45
PID 332 wrote to memory of 2848	332	mscorsvw.exe	45
PID 332 wrote to memory of 1380	332	mscorsvw.exe	46
PID 332 wrote to memory of 1380	332	mscorsvw.exe	46
PID 332 wrote to memory of 1380	332	mscorsvw.exe	46
PID 332 wrote to memory of 1380	332	mscorsvw.exe	46
PID 332 wrote to memory of 2888	332	mscorsvw.exe	47
PID 332 wrote to memory of 2888	332	mscorsvw.exe	47
PID 332 wrote to memory of 2888	332	mscorsvw.exe	47
PID 332 wrote to memory of 2888	332	mscorsvw.exe	47
PID 332 wrote to memory of 1164	332	mscorsvw.exe	48
PID 332 wrote to memory of 1164	332	mscorsvw.exe	48
PID 332 wrote to memory of 1164	332	mscorsvw.exe	48
PID 332 wrote to memory of 1164	332	mscorsvw.exe	48
PID 332 wrote to memory of 3032	332	mscorsvw.exe	49
PID 332 wrote to memory of 3032	332	mscorsvw.exe	49
PID 332 wrote to memory of 3032	332	mscorsvw.exe	49
PID 332 wrote to memory of 3032	332	mscorsvw.exe	49
PID 332 wrote to memory of 2536	332	mscorsvw.exe	51
PID 332 wrote to memory of 2536	332	mscorsvw.exe	51
PID 332 wrote to memory of 2536	332	mscorsvw.exe	51
PID 332 wrote to memory of 2536	332	mscorsvw.exe	51
PID 332 wrote to memory of 2388	332	mscorsvw.exe	52
PID 332 wrote to memory of 2388	332	mscorsvw.exe	52
PID 332 wrote to memory of 2388	332	mscorsvw.exe	52
PID 332 wrote to memory of 2388	332	mscorsvw.exe	52
PID 332 wrote to memory of 2796	332	mscorsvw.exe	54
PID 332 wrote to memory of 2796	332	mscorsvw.exe	54
PID 332 wrote to memory of 2796	332	mscorsvw.exe	54
PID 332 wrote to memory of 2796	332	mscorsvw.exe	54
PID 332 wrote to memory of 1904	332	mscorsvw.exe	56
PID 332 wrote to memory of 1904	332	mscorsvw.exe	56
PID 332 wrote to memory of 1904	332	mscorsvw.exe	56
PID 332 wrote to memory of 1904	332	mscorsvw.exe	56
PID 332 wrote to memory of 2716	332	mscorsvw.exe	57
PID 332 wrote to memory of 2716	332	mscorsvw.exe	57
PID 332 wrote to memory of 2716	332	mscorsvw.exe	57
PID 332 wrote to memory of 2716	332	mscorsvw.exe	57
PID 332 wrote to memory of 2288	332	mscorsvw.exe	58
PID 332 wrote to memory of 2288	332	mscorsvw.exe	58
PID 332 wrote to memory of 2288	332	mscorsvw.exe	58
PID 332 wrote to memory of 2288	332	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
"C:\Users\Admin\AppData\Local\Temp\0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2824

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 244 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d8 -NGENProcess 23c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 270 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 278 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 23c -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 280 -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 288 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 290 -NGENProcess 298 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 26c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a0 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 290 -NGENProcess 2a8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 2a4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 244 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1ec -NGENProcess 294 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1f0 -NGENProcess 29c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 248 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1ec -NGENProcess 1e8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 294 -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 254 -NGENProcess 1d4 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 224 -NGENProcess 2b0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 28c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2b0 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 248 -NGENProcess 26c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d0 -NGENProcess 244 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 28c -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 2ac -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 27c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 294 -NGENProcess 280 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 290 -NGENProcess 2b4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 290 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 26c -NGENProcess 2a0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d0 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 1d0 -NGENProcess 27c -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 27c -NGENProcess 26c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 2d0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2d0 -NGENProcess 2c0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d8 -NGENProcess 27c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2dc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e0 -NGENProcess 27c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 27c -NGENProcess 2d8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c8 -NGENProcess 2bc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2cc -NGENProcess 2ec -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f0 -NGENProcess 2bc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2c8 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c8 -NGENProcess 27c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f8 -NGENProcess 27c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 300 -NGENProcess 2c8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 300 -NGENProcess 2ec -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2dc -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 304 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d0 -NGENProcess 304 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2fc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2bc -NGENProcess 304 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2ec -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2dc -NGENProcess 304 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 31c -NGENProcess 2bc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2ec -NGENProcess 324 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f8 -NGENProcess 2bc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 320 -NGENProcess 32c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2fc -NGENProcess 2bc -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 334 -NGENProcess 2f8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 334 -NGENProcess 2fc -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 334 -NGENProcess 338 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 334 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 2bc -NGENProcess 338 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 344 -NGENProcess 328 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 334 -NGENProcess 34c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 32c -NGENProcess 328 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 348 -NGENProcess 354 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 358 -NGENProcess 328 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 358 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 304 -NGENProcess 344 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 338 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 304 -NGENProcess 374 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 378 -NGENProcess 338 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 348 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 348 -NGENProcess 35c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 348 -NGENProcess 304 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 348 -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 38c -NGENProcess 394 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 38c -NGENProcess 370 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 38c -NGENProcess 378 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3a0 -NGENProcess 38c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 384 -NGENProcess 380 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 398 -NGENProcess 390 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1544

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1168

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:412

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2444

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2804

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2404
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2344
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
ae534be726d25d1388428001f0936409

SHA1
74a71b9806d2eccafece195958f05c202aaf06d6

SHA256
db7948e862958d515b141ac8244add7921b2bd0bbee83a0725257f6d34c3a554

SHA512
15e90adeb3a34cb26a67b89997cf6a1c951cf81bc9824536ebe667dcb3a369d4ef1e0c2a9fbb9bf1e51b7ce0e197848d2de4e96024c250efdfd4dd90dc16e664

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
64bff18f441af99ccb09f10c42317631

SHA1
0b08a0b136e2f35e98a430f502d8815ce28d95c0

SHA256
19bd47397b87a3af1f21ae7077ab1ca11a7f454b1e3a14d201f655ecb67bd789

SHA512
3500fe011809039afce010ab5763c6be7cf53de4e29ad8e2a4273b38d8d3847654f79b24b0c29fe56469848da767ed8916158665ceb000683ab7412d42805886

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
dfc4e4d4f9a95a213083ad5977c6c43d

SHA1
6689a5051d4801bfe5442ff8692e53bb8c1c81ae

SHA256
40a5515f8637c92533f0ce3543e85a4966dc7b084c924e750ba5605a1da734c1

SHA512
b2595f934708d9629d96839afcb36f251ee1fa386c3e481c8659676c90a03ccc84176a18cf01cd8a3a7f6a3a36f4f422a5624cb6589a83b0a844dedd01793490

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b4cf203624a263c0d789f1d9178e4b03

SHA1
8dbd94693302a672f3f627360370b8ca734108ad

SHA256
c655ccc381a739fe38261bc4b19bbe670448c4cf28fb8e571579d555b25b8a71

SHA512
2a1c51791d35119b62457da172c2a438aa9f2203ce1f93bcfefc983892d954934c5472835bf18a15095d888da6a792995184acbeb2e6e4410294baa49eef1f77

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1a7b2e7dd4605dd8cde1f65e92d044e8

SHA1
7644ab06c6d4d3251f85b91ffaaab4cbd8e24a87

SHA256
172b52e4a0f6cc6583ba28f520eabe3ead84a6b8801675c37bbe1c1598c69b93

SHA512
aff405f6e33eef74744f900e2efb23e8ad8bc9a8c7cbd4af4fa9f4c82f6a973e6c5d8fe7649c19b0be4724c16b8576071d4b36f7579feda1787f70037216c65e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
395b90b5d6e98603b7ffaddbc8383fb3

SHA1
0a6cbbddf032fbc48d9563957c84d12b3d5c2067

SHA256
b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd

SHA512
4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
82a8ec5cac96652451dcbccef8a8c649

SHA1
aa143498de763fd266de1f7420c9e4a5036bc4b9

SHA256
df24293ec1cb5d496df489cd88ab52e9842a552f6ddeec3a6e5ef31a5595254f

SHA512
11fa47d4c2eab1ff41519110a783b68d9b20ce3aa6cf96fd7ccc8cfbebc9d39047e25c1654667500e0d5c6b1eb85ef2080b8bca7a98dde074e001e10014ba316

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a5b3593f04da27af445a4838ba7fc928

SHA1
dc67b074b80c34a37ee8c2b9279e0f9cc159f0e9

SHA256
b22eb75792d525bd938c1ca4837734ba02d4f4c78eedc4027b8b28603232f22b

SHA512
c9d46869b23fc7adba7e1ef8ebf02ea7a733a5fb51b81b71a8fd0c06d6fbf224aaf989836b3e5c1a84f7715f79a3cc4b9053613bfefc3e3c16b55a80991b3fda

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
6f8e0a7ba545aecee70d78505ba8bb5e

SHA1
86b17b57321c3aa598678e576c53816e13fb5eb5

SHA256
4d227010163eb77ef00185b59fb4b0dba594b90f178c4d0d8a0bb02980d19752

SHA512
4c30994d6936d7d5bb5d43a4eafc1295bfa05f80accd28ebf7d7f29a26473a4d6bc46810c4be4fcb2df0fc89965c43d46f662c69b46aea4cdcbe512ab6b2a47f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
f0455f64eb66de2903169c966f5de507

SHA1
9146756734cbe2bb1e1cda566aed3aa7579be7fd

SHA256
dea539c53d9ce45e6d2581e487c81162001b9fa57f4c058be60d604eacede0cd

SHA512
bc4a5abc100a2b08294f595f73d5fa099b5ba1b870d49c340a1a9f44129a341eae3d6d37b1a91555cd1f8c4a9e27d897decb29bd6f4132bc769950f4d8bd0d6c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7a2be922a5510a96ba5570a51882eea0

SHA1
1d3da84dce405406d7cc5e713fbddb62da1be999

SHA256
fb623e783fa7de6d6b4ed81eeaae2917b619b0580233fee3e9f53952a157a50f

SHA512
ec9104caebb3a312375761454fca2890155e3058673f451df2853f94d700b06e25d4ddc2e28199bc11c2cf07be445f03129e56af4373eb02d9b2f8de1cb6ef0e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bff3cd97b514b0dd118603c39d00306d

SHA1
fe38b4a9b3aa6630f884a65140d5a5ce8d4aa6cb

SHA256
c94d2ed60d77e2fb70679be28ef3d7b218716ef78b1eed80b4f8cf155b2e6de4

SHA512
a23e5237a590d586c5479c908a89d71c721cbebd5ecc32d8cce758ecb4d161976db61d4efc55347220b59fdd9bb7f5b3e387e06624b6cabbf6ab63f596d43876

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
5fcfab788c988d14cc5d2ca56f767f00

SHA1
76850dd14a68c6994d8fc996b744462f061a4ae4

SHA256
80ee3cc45f395b0f5b754adfdbab7d5c1a16a2ecfc410c24a02a1aae046eb05c

SHA512
efc99cab51457f478e6209ec942ca0e787e0cbe90056900d2ae7ae44eed38e59a2a6662274bf70a1b13517ad5c31515ba22b5379e8465ab70afe12eb2a05ab60

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
ffde39a46ac55b5f69358dd992f783d2

SHA1
c7b78a42f7db06f71bd49f92892aee7cb3dcdd19

SHA256
b972b4afe07158cf7dcd2ea373cb738bad2dea9f06bc86a1672c633678f05425

SHA512
1ddf58229c3bdfb48d42bd4c07bb44afc248430a34189f3a3d7e815366ef936c699a91ab34785899bf0e698ad44a2ad45ca70bbdb31bf222eeed4be3a8625e4c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7aa8ee188e2b0bcb752d912adef4dd55\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
dee9405e7621d497d11117bdd1397a49

SHA1
90bc63c98828d6c2e869c015af3dac2f6db5f5ef

SHA256
2bd4dc1d60f0e2a6a78ce38586cfc50e5641da33270172002daee884a8e2293d

SHA512
559980377272211a08d4be458460e28cf8fc742749257812dc8cc41a5d72ccdec2cdc07f6e867d97a0bbef34a80760df9ecb15976e2cc01f559755180778df40

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\804cd1046519452f86ad0c93fad73b4e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
72a3beacb8de6ee7b383433bca90a639

SHA1
251c637d2699bc5c4719db8b60cadb818a340ffd

SHA256
3f99cb26f92dd28aba887e169ee4f6efa945ecf97f625ebaf95c3798131c570a

SHA512
6348fff621b841f0622e9b3e4d7986dd5c90e61ad989ace1e108003a90ce53121edf73d6f47ea03fa8ed5103d69b17aa3b8264b54fc9cf27519c73ea7ce3f2b6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\891fff5055c76986c90f9cc484782508\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
496b35fb748fe94b8cb551acae11f2a9

SHA1
620090a33ce171658a0dd637453b1a6393350d88

SHA256
b24cc771f73eac43c382a43dcc5924b28c228e8335a1db09fc1b3fa5d987f52b

SHA512
6d8f9170447b184f5acab64cd7411f862d110fb94b45e01aedb00dd3b34ff4be41bc0695fca9900a2d17783b5562efe7d2fa6a68ec01682f8c69e6403e728cc2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
c72a378c0a72dbaae1e32536e0978269

SHA1
45e500fb113b9d9d9f22f848fb97ab1443ede1d8

SHA256
ad8bb63cf9069ddc0f5b4f9dd751d6ef37cf79bf69234992524015ad4bf0a120

SHA512
b8d7eb05046ceb88ae41a6259deb9e7bfe4e0a1afc64fefab0c9567b3dc3a9a9057547d6cbb40a39fa932045449231d81fb799c036f6a04d6ddc8aea5dac4037

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
a0e47e30190186b287af1c21bb7e43ef

SHA1
01eda0062dab4ef2817edffc5869b10a4cd9b59c

SHA256
bbfb32892b413c5c696ad192f1d2594b1bc64d895d559f727936d01dcab7a9c9

SHA512
cd4496986b977aea9c71f1cba02ba29460401f396efd13f47fdc2f7d515ac0faa61d40aa3f674f4115a5e650c361ddec4ba8b10ae8095a80d7f885e6a747ff58

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
aae0c5ff64aaf92774fb537de44764e4

SHA1
644bf4f369a097e4dd6e6f292431d35227c28dfc

SHA256
67d842430293dd848f9ae0ab3bbcfb3596ce248796b526aaf370e34ed5f46f28

SHA512
61ca648379effdd8982717fe118a77a6451ffe6f2f06a9bd34c18ab1d2b21216b5728fc387743df65b405861442aab8304d7a4c8ea2f8374ec3456059707b870

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
54bb4b83c0da766d30c7b2379f543acf

SHA1
cd93754b3a5e6b176714075e15fe545dd038050f

SHA256
7442225b823c3839f46e169074513d6dd99d2a22703f776ba9c70598bafb5b40

SHA512
c56d4a5519d43addf43dbb64476b8af864925321784bc4f5f4e5eb5247e17dd47aecc87b52f2f1a7cd748612b83a90c906a112b7b278bba55ecf55fc5c156f45

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
454fe6fe161f9238c34e9c793beed443

SHA1
98c0948562aaa7e3855f46607a732560fc84cf61

SHA256
ce31b665461a78d4df071685bae71736bf5ea655a033095450c6b08c5b440023

SHA512
003c005ca5cd114664b38f55afe01993174d262f7f5a61d8660a4183d41a378c52e9752c3e6f9f0056a8380a6be5995c5fd00d73fd0909e9342d23033b78e123

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
49b011a1aa66c3fa424cfc3821f0fbb4

SHA1
2f818c7b09d25f48c8bfcb7c8c56e4f7bbee6a86

SHA256
2f0472ae250379bbe9dfd7734304c4dfdf473f2adec349f101642429ecb7df43

SHA512
afa823c9ae7fb0f183c3392028e2a4b33baf34add1814787f6b846503bf3b666e2c044ee0f7fcb77643d31f7231357c2b2495d5971d3c65e1f3a35af207df943

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
473d0ba34287a970c647c5997e5446d3

SHA1
e4fcac1b2eee5923fd3a1b2e537fed8ff05910ca

SHA256
6eb3e450580ab92fb9af48454e715857db4bebbd101a5a5df318e521b5ee1453

SHA512
210abea09d2508172600b758f5da21beb7906408ac594187ff250e579e5e93f31645c82e06518c016ce20b43113944849a3ce418d35790a534122be633210bab

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
4943fcbd19a8cf64112fc90867c4a910

SHA1
49a5b5ec6afb19d8ef23735112e39b37dbef062f

SHA256
4d65459bc5f5904f098e45aa89069567e074d2ac1988bac868ead79531e68eab

SHA512
2586c8b4181503429feb15f80818b851a0703d216c8403ce58e94f1c8fa6806454e74af8d13b513877516c81da2b49004bafdbaf6df23d2e4912cc6959e3ccee

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
20952eeae5649bd75268928a9c4e4056

SHA1
25586f3cfaa1ccdcef4a2e9606dc81941317dbbe

SHA256
1e41301b90ebf7ee287cab0d34878d778213cf964052966ed4e983bc0b86a4d7

SHA512
776c2ae33d43683b7d9917786c4928712cbb3ff28b62b5e9c8c81c722b87d139ee1bd2f2f5d1ada8f4d83e430f3c0717c515dcd6b69cd6464ca52a59cee553c3

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
91baa56aeb3af46844f095d5f1b37f4c

SHA1
bb1c9b65c816ef92360461f8f6841f860ec6eb9b

SHA256
f7519049e92b983b12d883c71d774cf6900c4c0fdd0648d5586bdb434c29695f

SHA512
99dd7c9e16f1b87bdc080741fc73e13411abea7909d56dc271695ef058db7187b5de45bddf7fb3d1ec7aa03fdc779916939747a8b8eb103904650fea5f8e5e34

Download Submit
memory/332-291-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/332-150-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/332-145-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/332-144-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/804-361-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/804-352-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/804-355-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/804-374-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/804-375-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1040-274-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1040-319-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1040-314-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1040-193-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1080-359-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1080-324-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1080-343-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1080-329-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1080-360-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1264-296-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1704-129-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1704-158-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1704-121-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1704-122-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1896-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1896-101-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1896-95-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1896-178-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1952-342-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1952-288-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1952-287-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1992-177-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1992-327-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/1992-312-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1992-276-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/1992-185-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1992-180-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2104-379-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2104-389-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2104-405-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2104-385-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2300-160-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2300-298-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-167-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2300-168-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2332-370-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2332-390-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-391-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2332-376-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-364-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2524-161-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2524-58-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2524-13-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2524-17-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2532-341-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-340-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2532-313-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-310-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2532-304-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2552-348-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2552-353-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2552-295-0x000007FEF4080000-0x000007FEF4A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-294-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2552-293-0x000007FEF4080000-0x000007FEF4A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-299-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2552-322-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2552-346-0x000007FEF4080000-0x000007FEF4A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-141-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2824-106-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2824-111-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2824-105-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2848-404-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2848-400-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2848-394-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2972-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2972-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2972-269-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2972-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2972-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2972-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download