1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b

Analysis

max time kernel
132s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
Size

1.8MB
MD5

35274f8a1d179c283faa4b00d0100ac5
SHA1

3dd81aa96c016a6307549c2c3e6c60fbee5271fe
SHA256

1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b
SHA512

81e856817b337f0270ed978052fb644311b9a9dc844fd32ccd1786ad726d1dbbab3f9509abe265106e47b200653fda0264f3bea08a67224f933fcd47e17b7e33
SSDEEP

49152:Hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAN0Bia5bsn0:HvbjVkjjCAzJdBia5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exedllhost.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2924	alg.exe
1516	aspnet_state.exe
1612	mscorsvw.exe
2656	mscorsvw.exe
1204	mscorsvw.exe
1540	mscorsvw.exe
1616	ehRecvr.exe
464	ehsched.exe
3048	elevation_service.exe
2480	dllhost.exe
2400	GROOVE.EXE
2728	maintenanceservice.exe
2988	OSE.EXE
1956	OSPPSVC.EXE
1412	mscorsvw.exe
972	mscorsvw.exe
1596	mscorsvw.exe
1868	mscorsvw.exe
2576	mscorsvw.exe
2296	mscorsvw.exe
3056	mscorsvw.exe
1016	mscorsvw.exe
1340	mscorsvw.exe
1496	mscorsvw.exe
1052	mscorsvw.exe
1088	mscorsvw.exe
2644	mscorsvw.exe
2000	mscorsvw.exe
2076	mscorsvw.exe
2088	mscorsvw.exe
1344	mscorsvw.exe
1728	mscorsvw.exe
684	mscorsvw.exe
2760	mscorsvw.exe
2456	mscorsvw.exe
2816	mscorsvw.exe
1560	mscorsvw.exe
2020	mscorsvw.exe
1352	mscorsvw.exe
2808	msdtc.exe
2812	msiexec.exe
1612	perfhost.exe
1820	locator.exe
1988	snmptrap.exe
2640	vds.exe
1804	vssvc.exe
1336	wbengine.exe
1580	WmiApSrv.exe
2008	wmpnetwk.exe
3044	SearchIndexer.exe
1396	mscorsvw.exe
2608	mscorsvw.exe
2928	mscorsvw.exe
1740	mscorsvw.exe
2604	mscorsvw.exe
2268	mscorsvw.exe
2628	mscorsvw.exe
2308	mscorsvw.exe
2788	mscorsvw.exe
1412	mscorsvw.exe
1724	mscorsvw.exe
2560	mscorsvw.exe
2580	mscorsvw.exe

Loads dropped DLL 50 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
2812	msiexec.exe
468
468
468
468
468
744
2604	mscorsvw.exe
2604	mscorsvw.exe
2628	mscorsvw.exe
2628	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
2580	mscorsvw.exe
2580	mscorsvw.exe
1208	mscorsvw.exe
1208	mscorsvw.exe
2724	mscorsvw.exe
2724	mscorsvw.exe
940	mscorsvw.exe
940	mscorsvw.exe
1252	mscorsvw.exe
1252	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
1792	mscorsvw.exe
1792	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
424	mscorsvw.exe
424	mscorsvw.exe
924	mscorsvw.exe
924	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
1296	mscorsvw.exe
1296	mscorsvw.exe
432	mscorsvw.exe
432	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 23 IoCs

Processes:

1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exealg.exeaspnet_state.exemsdtc.exeSearchProtocolHost.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b171a62bae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exeaspnet_state.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\GoogleCrashHandler.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\goopdateres_is.dll	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\goopdateres_zh-CN.dll	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\GoogleUpdateSetup.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\goopdateres_vi.dll	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\goopdateres_mr.dll	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\goopdateres_pt-PT.dll	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\goopdateres_bg.dll	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\goopdateres_ja.dll	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM978E.tmp\goopdateres_de.dll	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exealg.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5BD6.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP564B.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6336.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP675B.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C9C9AB78-03CF-4A5A-9EC0-3FBD28E1279C}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F7E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6539.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4E4F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5DC9.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exeSearchFilterHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRec.exeehRecvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2760 ehRec.exe
1516 aspnet_state.exe
1516 aspnet_state.exe
1516 aspnet_state.exe
1516 aspnet_state.exe
1516 aspnet_state.exe

pid	process
2760	ehRec.exe
1516	aspnet_state.exe
1516	aspnet_state.exe
1516	aspnet_state.exe
1516	aspnet_state.exe
1516	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2240	1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: 33	3052	EhTray.exe
Token: SeIncBasePriorityPrivilege	3052	EhTray.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeDebugPrivilege	2760	ehRec.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: 33	3052	EhTray.exe
Token: SeIncBasePriorityPrivilege	3052	EhTray.exe
Token: SeDebugPrivilege	2924	alg.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1516	aspnet_state.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeSecurityPrivilege	2812	msiexec.exe
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe
Token: SeBackupPrivilege	1336	wbengine.exe
Token: SeRestorePrivilege	1336	wbengine.exe
Token: SeSecurityPrivilege	1336	wbengine.exe
Token: SeDebugPrivilege	1516	aspnet_state.exe
Token: 33	2008	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2008	wmpnetwk.exe
Token: SeManageVolumePrivilege	3044	SearchIndexer.exe
Token: 33	3044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3044	SearchIndexer.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1204	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

3052 EhTray.exe
3052 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

3052 EhTray.exe
3052 EhTray.exe

pid	process
3052	EhTray.exe
3052	EhTray.exe

pid	process
3052	EhTray.exe
3052	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2440	SearchProtocolHost.exe
2440	SearchProtocolHost.exe
2440	SearchProtocolHost.exe
2440	SearchProtocolHost.exe
2440	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe
760	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 1204 wrote to memory of 1412	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1412	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1412	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1412	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 972	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 972	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 972	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 972	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1596	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1596	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1596	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1596	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1868	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1868	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1868	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1868	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2576	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2576	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2576	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2576	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2296	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2296	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2296	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2296	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 3056	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 3056	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 3056	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 3056	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1016	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1016	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1016	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1016	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1340	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1340	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1340	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1340	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1496	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1496	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1496	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1496	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1052	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1052	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1052	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1052	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1088	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1088	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1088	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 1088	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2644	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2644	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2644	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2644	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2000	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2000	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2000	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2000	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2076	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2076	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2076	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2076	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2088	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2088	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2088	1204	mscorsvw.exe	mscorsvw.exe
PID 1204 wrote to memory of 2088	1204	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe
"C:\Users\Admin\AppData\Local\Temp\1cc9f62392c059b745a990f66c2937f42c3111442e5b8f2cadd0d9bd7e5fa56b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 248 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 288 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a0 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 290 -NGENProcess 294 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 2a4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 270 -NGENProcess 1f8 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d4 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1e8 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1e8 -NGENProcess 1d4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1f8 -NGENProcess 278 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 258 -NGENProcess 278 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 274 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2ac -NGENProcess 1f0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1f0 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2a0 -NGENProcess 270 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 270 -NGENProcess 2ac -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 29c -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 2a0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 278 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 270 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b4 -NGENProcess 1f8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 1f8 -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 2bc -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 1f8 -NGENProcess 2b8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1f8 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c4 -NGENProcess 1f8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d4 -NGENProcess 2b4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b4 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b4 -NGENProcess 2d4 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e4 -NGENProcess 298 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 298 -NGENProcess 2b4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c8 -NGENProcess 2c4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c4 -NGENProcess 2f0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 2c8 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 304 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2c8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f0 -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 308 -NGENProcess 2fc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2f0 -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 334 -NGENProcess 32c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 2b4 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 33c -NGENProcess 320 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 334 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 348 -NGENProcess 320 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 328 -NGENProcess 314 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 34c -NGENProcess 344 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 320 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 314 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 344 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 320 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 354 -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 328 -NGENProcess 320 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 368 -NGENProcess 35c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 328 -NGENProcess 120 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 344 -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 320 -NGENProcess 368 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 364 -NGENProcess 370 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 37c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 370 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 37c -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 370 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 37c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 37c -NGENProcess 394 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3a4 -NGENProcess 370 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 370 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 37c -NGENProcess 3b0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3b0 -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 394 -NGENProcess 3ac -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 394 -NGENProcess 3b0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b0 -NGENProcess 370 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c0 -NGENProcess 388 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 390 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 390 -NGENProcess 394 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 370 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3c8 -NGENProcess 120 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 37c -NGENProcess 3a8 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3d8 -NGENProcess 370 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 120 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3a8 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 370 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3dc -NGENProcess 3ec -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3ec -NGENProcess 3d8 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3ec -NGENProcess 3dc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3ec -NGENProcess 37c -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3a8 -NGENProcess 3dc -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3fc -NGENProcess 370 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 37c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3a8 -NGENProcess 40c -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3f4 -NGENProcess 37c -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 37c -NGENProcess 408 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 414 -NGENProcess 40c -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 40c -NGENProcess 3f4 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 41c -NGENProcess 408 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 424 -NGENProcess 418 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 414 -NGENProcess 370 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3f4 -NGENProcess 120 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 424 -NGENProcess 430 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 23c -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1352

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1616

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2480

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2728

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2988

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
4c87f746d09ea21af13391fdb992867d

SHA1
0a39e478dd8cf4aae28c7205cb26226cbd1768b5

SHA256
129c158f2a9563b8ee0502e9708db9e93836b7bbb63b757cbffbe388f6df2061

SHA512
638e8bc029b082537fee2103283f7f13f5e1b419efed06f66da01fe4628bf5b1816059c78cfbc9e3e309dc03427f98963f5b68c3f3b98c2d206694cec1f0cc2e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
7683e507551d5b864db59d02fd315084

SHA1
c798655d0f445ddac829c5927b7feede8c506f3d

SHA256
cd2b6de7ec702c7a21618d6d408947471e1ebad67f0af78d875d74985c3f1ab3

SHA512
87893fc9ed57b5e6db9e46ea9770ae4e97eaabdcc816d3149405c8065f92621c2f0440f4882677e8c97a8d4b882c8eec97081b5d5d7d359245c1a765cf800cc1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
726dcd36afb89e0da6cca966f58c045b

SHA1
2979bb061f17ae3d1655db3178ad1ca57239eab4

SHA256
a646f2add48230e3b026e1d87d5b137ead277e69dec37672cb7bfb8f9055a5ec

SHA512
8e855c7c749f72bc165572aa2ed02bd78cb87878b97472b0a0cb76a72f2ce83110cba246a5ee9486743f71b8fc5768eafa6769b9f69339e55e5ce2dcb3acaf71

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
c30d1adb5bc457415aad90f3bb4ed290

SHA1
6cdeda2122bbce513307bc231f21841e54155691

SHA256
15383cc15110bf6fd3e06a3079487358525f7b91eef5f0f435c6987830feec50

SHA512
f3f6849f3ea8462d8846e41be9c74c764aba26bd628c296262eb09b5d796f13891179ceaae367d789c625955acafed7be14698b7d55a6ff4940994d2193db11b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3cb0dccbb9bbd6a4e4697733963682e1

SHA1
ec85b2cc060df7a614e0e7ad651ca0029d2dfd77

SHA256
2f67e9d0120e34ddae22ee7b7b600809b59b24b2b96a0e9e58f846ed3681e61f

SHA512
4e8a675708a57dfba438f4b3c11556a07efefcf1d53b0c5d253662ace6f862e17a3ab3d64601b2a6a72b0995be0b4e591d55629c7b4f84dd474ec39a70ef92d5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
2085ff3d9a2ea2334b1dd59741b92b59

SHA1
16ebdfff9994bd9eaa19c30f75280814df9e0fd5

SHA256
e643cb8b5e7979cf895c8185cd5d1a6ffedef542c1b1aa9ed67902d9e2fb4421

SHA512
4f0d56c70f483dbc6de8d5649de9a2bd83cf6da9c67464b84d9540effcd6bc42c09286a18fee7a08c81c8eb559b78ed521546c6552f0381a5be70088c0a9347d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
ee2bcf1f075ebcb781e0ad6c817d5703

SHA1
1a98b201944d990b2b692f98b4f409d8a3195602

SHA256
04070c03fc7ba800e307ff9247b36af7a4b9027a75cf460c0aef62a225bd12f1

SHA512
193ada3ccbca93042233bbdada00eb010f0ead982fa05534168c45633c1b9d41b4cc2a20f1d4dcff1738d3da8b52e323f34425448d8088d7f92bfda86046f98a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
fe4399c47f1b02e8317de6004f4a9b0d

SHA1
24eabdf127821bb954f9f9b872d4ef235e7f3604

SHA256
cfa59df906fa401002e1fc18d86822cf64d783de63e9840a27b8131a6de7685e

SHA512
220d97a0680bf2a0b626932defe05661eff14c58befeac93cd0e96001464d68cc7435cf0b72cb57e6c47a5d3a36ef77f4a657a9308629d2fc053cd1da277faf0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
83fbdd8da66e1a295752ab3bfadb3daa

SHA1
153208f4b4afabe34155c60880d390c40f86c5cd

SHA256
f13f930331772889e047cd1746451e4c3dc66f7d38e84e1f8a52a1770e5ccc54

SHA512
f63d941074fbd09a4a7442a0c796d40f52fa7ef39a5644f05b17c930d975a1daf97b84d2d5046569ff920034b39944a434b63c74a8893e150d7d6912a820667c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
28c33b31bd2859897a8db8da68445adb

SHA1
5191982983b9fec5d67e15fe0d0754fecc698928

SHA256
cf2e2811d42b13f7a40d0159173253d5b91295b0dae1e47c9b0bf82ca401ef80

SHA512
0e3dc4aa4c3e7fb893dfdd16b91aba34e2ec896bfa8d07ac20faf30102b9ffb580b88488c11503237b78d7a45e4355a2e4a37d52c2fd5ee63c2b76ae0580f92a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
96c5fea7e9b6c4742892a40899f9ea6e

SHA1
4e61054766b04cb6e41537fe5304b3be74f04344

SHA256
aa83b8965655afeab27a7c457ed373dbf9e6c02aca5fc0cbc3d7a806adfb2d76

SHA512
ec05c49897ede63f29724bea0b7a922cebf83e29b25d3defd742c68beefaf707cea206b459337ace121027cbcbbdd65029b20630decb96a16b04705c662dfb5f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
792400f2f38c02903ed57d0cc24ab288

SHA1
053736f06f7274a28f472cba630fceef0b384516

SHA256
119ae394feab95ce71a71dc31a26fa5a20b77dbb7a18961ddb5395ba369ebdf8

SHA512
a1eba37a9deb814e9b6a4d4643f377f9deec1a3c638e9c7558dea1474f07886728546a7acd4b936602ac72ccae8d85f715318f1f4c691a3b43640e74ba5502ad

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
56463db9861378c435d155ed256cb25e

SHA1
f3791de77ddea941068f3dc18f137cf71abe1cdb

SHA256
f858ab446a0897e80fd2fceff795dab1dc9f6c26ddd65bd01862d1c35c80a00a

SHA512
81d1ce39ca5c899465ac337b1e4a57008943d64e06c3de62b55d90e3bb6b8c676c3e1f43de43a9d9ae8e34cc29e2df7fbe3b79efa2a0e6aabcffa4f771aac531

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a972b69bab4b960308bc86fdd0665044\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
0513b122700701297c85ead24c70ea17

SHA1
b2a23773eea943f17c2ba02c4b74834023408fd3

SHA256
22243654f857cd30c69bd95e95d2dccd8d0932404bf027cffd63ab3af678fc84

SHA512
52126071ea67185ef9e80fc0b25a03b47215d4925abbf5e34836fd35144ad20f02f0cabc7cd83f195bb286a834c81bf5d34203976132eca7abb952af5a0cfcc1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b499f3857c04a04b676cb5530de1138d\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
c41b923eff407d6133e35a6e57108e26

SHA1
40475704ffcf08b2b082672396c1c1eb5096150e

SHA256
3abc0e22ce030908b19920da6b6aa3f8441c554823c33c2569a207f81ba6b06a

SHA512
58e9606c3d2c4d37ecdf1df1917c614b55d5127444c9b67ffd58671cf7774a2f8fa1e3bc3eb380c4379654c3dc09bca671e3b1fa9d6f0861cb5859921e78ca81

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c76a2db9c597892d3108e63cb44a09db\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
5c01197458e9f600a2f9250e5df97adb

SHA1
170d03ed7e7e53301042f180450d5a73787edd6d

SHA256
fd2ebe47103e105a218b8dcd56c861399f72766386e2a6646ead83d27f6167cf

SHA512
3b28178e8dad43635eaa915dfd3769143d881241b97b7f51645d36d950e40286ace27f0a9783f946281c861b97c77f1e25e6af713dae691dc0982492505764b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP59D3.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.2MB

MD5
116008b0285a1f5e075cd656e54b686c

SHA1
aefc05b08a639e32a2d5e98ec38b5bc75da50f52

SHA256
6ef3104f4552ab484b415e0f3124315fdc45f7f06fc54a5fb4a032c72b2aafc6

SHA512
411161680edae3659a4f6f27dfba1ba4d7ff4c6eade0c6facefd420e78727db2d706dcc82ffb364b23043987201f8f5d29bc599074a033d1c070aa77abfa08c6

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
a86684ce677c29bd8bee737bfa87fdcb

SHA1
9bf9dbce2e303762b3d183794f0c61b9f02814ea

SHA256
a0c64e5130c57ecf884dabf20fd1c70c87894a56c7f5367b8dfb5404e7ee1683

SHA512
7ad90eb6b310c5773069e1548c590da1b87f409e407887336d0b2f57f855277acbae1dac2ad90726f58d9d74d26f0a66432c83db75ebcaf3f34fbd45d976a1b1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
cc39e62aa5a594e386bac0d2ad32dba3

SHA1
5b09e8256f97c63766c0680ed007ab335f8177ee

SHA256
51c1d9aeea7c4a240cd80fa3a8ada1a95eab73a9f57bc1c22ec0892398d71236

SHA512
c22d65fce660c11fa4168d09b69f460e5d2e921e3998c56901456e367b322cd4228865e5781e6ce5d6b6ef59a890009f19f6566ac12c08227acd95bbb0f78719

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
d1aad2d7f8ca84aba7308da7e8faf486

SHA1
54f8c81c06120850f7c494f35bcc770c6e5b7d66

SHA256
0f7c5b4b6bfe9e419061269bda2cd980f312992123b322c7cccd4950ecc62e9f

SHA512
b837d518aeef90e952ec1d7a305315a7f4ec9af88f5e9321fae2457eca1f06adac2a89aecf76e9d952c3ea6a4a8f026b0fcce5710bfdb4a7bfd034f4b8535b2f

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
4a41b35e26bdc8fc2329d91082ae9c0a

SHA1
72dfc7da2ed637362e7d2213d974dcd1390b1dcc

SHA256
04c8d5a538b29e29795cc2a87e8f7deba51f040b067be6041402ad686bd44926

SHA512
6fbcbcf7e340a9d139eefd634daab5e8d16ea7734bfd6765eca657511b1d4f3adf2fc0ca693d581952caa3a5c826709e18620ee42bafe56038f8c4826457978a

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
e5142fa32038cef340954bb98c9c53e7

SHA1
8d2caad2531367aac4019331c10dc01662bc6cc5

SHA256
d35eb74d464d16b66268d8bc213f7c2116a391757a6db886d42d2158be7e8b9a

SHA512
219cd32d00bbdbe7667bdcf4585708b56f2e1bfed15072976c69bc3303fd63554b6436df45ca0a44e09635a760f8ba09a50e2eedb72ceff2eaca5d0067be295e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3b4cda7a8d1dc0d3d32d7d5d162463d3

SHA1
962a78d4fb4e13fce6d36e20a3f7338ec8594c0c

SHA256
22c82c3436691ae821d63e9d3ed1b931021f840ac11cb0502389e014e9598e63

SHA512
f6b6d00f1c0ec4dd365613ecc43169f85c0f71333ff54aaa01e7a9b069197305a9494d7bddc8cabef0642bd065e2c52d0133fe8fef2ca24b45088297724ee543

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
f1062ad98c8e1bea619c24931eee103e

SHA1
10e15471b3a65676aa7fb0c1c39dd75ccc2da3c8

SHA256
ea752a636455fbba9714047fd963e8a59fd03ea59b07715de72dd8ee678564ef

SHA512
a7dd687c17e51101c1f71d534f22a878a087830fc4dfbf599f674a365600ac224a2d6cdbc40739131d8ab95318423865baef0a7e5c30a72a947998600cacf26b

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
82fcfc4aee8c843a71bdf676a131fcc1

SHA1
74f4842cdfcb1e8d3bac433a08b94b126b03baab

SHA256
23024b5eb924626ffb89e95bfd5e2301e0779bc4ba00a303163c37b0c62b2ff6

SHA512
ef0c01bf6245fcd5a5b778519473da38acb1ff23da3a5787863a6a3a65bada315035e904be2b6d9347ff6a918e4fb96ed3f2a5a76186282f9db65bede8f25663

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
b6aed2de9af94c7497e91e9eb2ad9ddb

SHA1
32d6ae24fc921d98006f63002fbc1f5e740b521a

SHA256
f7809d75804955891a0441920443a26b90068024929867e59c4d5a897c18a935

SHA512
176115074e4e3888a83ee5da957cbcec93f3c9ed0d9cb1dd88866340899f22cb90ccc8795e75e3dc683411d722b72b0c0e83cf749cf145b306d68fbf3949514b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
5d2419dd835806328184a194e78f42f5

SHA1
a90cc315ea856b4b18405c9aff3697cb89a6a43f

SHA256
bbbeca5ea674046c4e336193c048f01bab42bf7f24f149ad6cc5482ade50f37f

SHA512
490b398a12a739cef6aaaec9709b2041458d4844728b5b6eb2f430f16b84bd2c7b938f82cfd549adc4f24b68049c5d45b25b8240ada2bdaf1ae273821d85d583

Download Submit
memory/464-810-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/464-537-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/464-174-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/464-175-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/464-181-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/684-742-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/684-721-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/972-437-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/972-487-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1016-604-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1052-626-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1052-644-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1088-651-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1088-645-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-346-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-128-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-129-0x00000000005B0000-0x0000000000617000-memory.dmp

Filesize
412KB

Download
memory/1204-134-0x00000000005B0000-0x0000000000617000-memory.dmp

Filesize
412KB

Download
memory/1336-905-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1340-607-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1340-620-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1344-717-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1352-793-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1352-807-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1412-354-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-429-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1496-625-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1496-617-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1516-292-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1516-104-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1516-96-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1516-95-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1540-148-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1540-151-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1540-142-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/1560-779-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1580-915-0x0000000100000000-0x0000000100159000-memory.dmp

Filesize
1.3MB

Download
memory/1596-484-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1596-540-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1612-119-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/1612-852-0x0000000001000000-0x000000000112B000-memory.dmp

Filesize
1.2MB

Download
memory/1612-107-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/1612-1024-0x0000000001000000-0x000000000112B000-memory.dmp

Filesize
1.2MB

Download
memory/1616-169-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1616-159-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1616-167-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1616-161-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1616-481-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1616-816-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1616-170-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1728-730-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1728-718-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1804-895-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1820-1029-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/1820-856-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/1868-541-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1868-554-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1956-616-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1956-329-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1988-875-0x0000000100000000-0x000000010012B000-memory.dmp

Filesize
1.2MB

Download
memory/2000-681-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2020-789-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2020-804-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2076-687-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2076-682-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2076-683-0x0000000003DD0000-0x0000000003E8A000-memory.dmp

Filesize
744KB

Download
memory/2088-706-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2088-693-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2240-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2240-5-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2240-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2240-149-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2240-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2240-268-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2296-581-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2296-565-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2400-577-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2400-294-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2456-764-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2480-278-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2480-563-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2576-568-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2576-553-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2640-883-0x0000000100000000-0x00000001001A9000-memory.dmp

Filesize
1.7MB

Download
memory/2644-659-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2644-670-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2656-125-0x0000000010000000-0x000000001013C000-memory.dmp

Filesize
1.2MB

Download
memory/2656-117-0x0000000010000000-0x000000001013C000-memory.dmp

Filesize
1.2MB

Download
memory/2728-317-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-304-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-746-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2760-741-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-1016-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2808-823-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2812-838-0x0000000100000000-0x0000000100147000-memory.dmp

Filesize
1.3MB

Download
memory/2812-1022-0x0000000100000000-0x0000000100147000-memory.dmp

Filesize
1.3MB

Download
memory/2812-841-0x0000000000600000-0x0000000000747000-memory.dmp

Filesize
1.3MB

Download
memory/2812-1023-0x0000000000600000-0x0000000000747000-memory.dmp

Filesize
1.3MB

Download
memory/2816-774-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2816-765-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2924-173-0x0000000100000000-0x0000000100139000-memory.dmp

Filesize
1.2MB

Download
memory/2924-40-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2924-37-0x0000000100000000-0x0000000100139000-memory.dmp

Filesize
1.2MB

Download
memory/2924-31-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2988-606-0x000000002E000000-0x000000002E14A000-memory.dmp

Filesize
1.3MB

Download
memory/2988-318-0x000000002E000000-0x000000002E14A000-memory.dmp

Filesize
1.3MB

Download
memory/3048-552-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3048-186-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/3048-192-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/3048-194-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3056-578-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-592-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download