ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/05/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
Size

1.8MB
MD5

669fcd0c67d24d3c0f6f0ead036544f2
SHA1

456bc3ea12f2e4bebd0d6bd1a4bd594bc25f9052
SHA256

ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56
SHA512

670678f119eecb594f269504ad3a8a27ae56b3ee6819d0aed1c8f3183d9ee641baeca2e4d22ae1b290025c2c02200837b5f066464fa723ef0c7988c13189ad59
SSDEEP

49152:7KJ0WR7AFPyyiSruXKpk3WFDL9zxnSVksDM2jh3BqS7YtGL/Als:7KlBAFPydSS6W6X9ln/6MMQS7kGLws

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2596	alg.exe
1276	aspnet_state.exe
1076	mscorsvw.exe
2592	mscorsvw.exe
1816	mscorsvw.exe
368	mscorsvw.exe
1708	ehRecvr.exe
2096	ehsched.exe
1304	elevation_service.exe
1040	IEEtwCollector.exe
2940	dllhost.exe
2532	maintenanceservice.exe
2216	msdtc.exe
2380	msiexec.exe
2768	OSE.EXE
2332	OSPPSVC.EXE
1100	perfhost.exe
2496	locator.exe
2116	mscorsvw.exe
932	snmptrap.exe
1808	vds.exe
2212	vssvc.exe
1756	wbengine.exe
2984	WmiApSrv.exe
564	mscorsvw.exe
1736	mscorsvw.exe
2076	wmpnetwk.exe
1952	SearchIndexer.exe
2508	mscorsvw.exe
888	mscorsvw.exe
2084	mscorsvw.exe
560	mscorsvw.exe
2160	mscorsvw.exe
536	mscorsvw.exe
1416	mscorsvw.exe
1292	mscorsvw.exe
2672	mscorsvw.exe
2580	mscorsvw.exe
3004	mscorsvw.exe
3008	mscorsvw.exe
988	mscorsvw.exe
960	mscorsvw.exe
2060	mscorsvw.exe
1736	mscorsvw.exe
896	mscorsvw.exe
644	mscorsvw.exe
864	mscorsvw.exe
2504	mscorsvw.exe
2708	mscorsvw.exe
2552	mscorsvw.exe
2452	mscorsvw.exe
596	mscorsvw.exe
2260	mscorsvw.exe
2804	mscorsvw.exe
2444	mscorsvw.exe
668	mscorsvw.exe
1092	mscorsvw.exe
2492	mscorsvw.exe
1696	mscorsvw.exe
596	mscorsvw.exe
836	mscorsvw.exe
2840	mscorsvw.exe
2064	mscorsvw.exe

Loads dropped DLL 59 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2380	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
736	Process not Found
2444	mscorsvw.exe
2444	mscorsvw.exe
1092	mscorsvw.exe
1092	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
2064	mscorsvw.exe
2064	mscorsvw.exe
1620	mscorsvw.exe
1620	mscorsvw.exe
2480	mscorsvw.exe
2480	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
788	mscorsvw.exe
788	mscorsvw.exe
1620	mscorsvw.exe
1620	mscorsvw.exe
2996	mscorsvw.exe
2996	mscorsvw.exe
824	mscorsvw.exe
824	mscorsvw.exe
1416	mscorsvw.exe
1416	mscorsvw.exe
1792	mscorsvw.exe
1792	mscorsvw.exe
1184	mscorsvw.exe
1184	mscorsvw.exe
2160	mscorsvw.exe
2160	mscorsvw.exe
2172	mscorsvw.exe
2172	mscorsvw.exe
2452	mscorsvw.exe
2452	mscorsvw.exe
676	mscorsvw.exe
676	mscorsvw.exe
1040	mscorsvw.exe
1040	mscorsvw.exe
1936	mscorsvw.exe
1936	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4b2c0708ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\GoogleUpdateOnDemand.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_es.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_lt.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_sr.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_ms.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\CompleteMove.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_fa.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_zh-CN.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_pt-PT.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_en.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6E6C.tmp\goopdateres_ta.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10D2.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B6D.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP148A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1EC7.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E41.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2127.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2636.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA7.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{92A4610B-419C-41AF-A85F-3B97C8E04E8B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP229E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP167D.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP402C.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1016	ehRec.exe
1276	aspnet_state.exe
1276	aspnet_state.exe
1276	aspnet_state.exe
1276	aspnet_state.exe
1276	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2208	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: 33	2948	EhTray.exe
Token: SeIncBasePriorityPrivilege	2948	EhTray.exe
Token: SeDebugPrivilege	1016	ehRec.exe
Token: SeTakeOwnershipPrivilege	1276	aspnet_state.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: 33	2948	EhTray.exe
Token: SeIncBasePriorityPrivilege	2948	EhTray.exe
Token: SeSecurityPrivilege	2380	msiexec.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeBackupPrivilege	2212	vssvc.exe
Token: SeRestorePrivilege	2212	vssvc.exe
Token: SeAuditPrivilege	2212	vssvc.exe
Token: SeBackupPrivilege	1756	wbengine.exe
Token: SeRestorePrivilege	1756	wbengine.exe
Token: SeSecurityPrivilege	1756	wbengine.exe
Token: SeManageVolumePrivilege	1952	SearchIndexer.exe
Token: 33	1952	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1952	SearchIndexer.exe
Token: 33	2076	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2076	wmpnetwk.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeDebugPrivilege	1276	aspnet_state.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeDebugPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2948	EhTray.exe
2948	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2948	EhTray.exe
2948	EhTray.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
2916	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
1016	SearchProtocolHost.exe
2916	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2116	1816	mscorsvw.exe	48
PID 1816 wrote to memory of 2116	1816	mscorsvw.exe	48
PID 1816 wrote to memory of 2116	1816	mscorsvw.exe	48
PID 1816 wrote to memory of 2116	1816	mscorsvw.exe	48
PID 1816 wrote to memory of 564	1816	mscorsvw.exe	53
PID 1816 wrote to memory of 564	1816	mscorsvw.exe	53
PID 1816 wrote to memory of 564	1816	mscorsvw.exe	53
PID 1816 wrote to memory of 564	1816	mscorsvw.exe	53
PID 1816 wrote to memory of 1736	1816	mscorsvw.exe	77
PID 1816 wrote to memory of 1736	1816	mscorsvw.exe	77
PID 1816 wrote to memory of 1736	1816	mscorsvw.exe	77
PID 1816 wrote to memory of 1736	1816	mscorsvw.exe	77
PID 1816 wrote to memory of 2508	1816	mscorsvw.exe	59
PID 1816 wrote to memory of 2508	1816	mscorsvw.exe	59
PID 1816 wrote to memory of 2508	1816	mscorsvw.exe	59
PID 1816 wrote to memory of 2508	1816	mscorsvw.exe	59
PID 1816 wrote to memory of 888	1816	mscorsvw.exe	60
PID 1816 wrote to memory of 888	1816	mscorsvw.exe	60
PID 1816 wrote to memory of 888	1816	mscorsvw.exe	60
PID 1816 wrote to memory of 888	1816	mscorsvw.exe	60
PID 1952 wrote to memory of 2916	1952	SearchIndexer.exe	61
PID 1952 wrote to memory of 2916	1952	SearchIndexer.exe	61
PID 1952 wrote to memory of 2916	1952	SearchIndexer.exe	61
PID 1952 wrote to memory of 2136	1952	SearchIndexer.exe	62
PID 1952 wrote to memory of 2136	1952	SearchIndexer.exe	62
PID 1952 wrote to memory of 2136	1952	SearchIndexer.exe	62
PID 1816 wrote to memory of 2084	1816	mscorsvw.exe	63
PID 1816 wrote to memory of 2084	1816	mscorsvw.exe	63
PID 1816 wrote to memory of 2084	1816	mscorsvw.exe	63
PID 1816 wrote to memory of 2084	1816	mscorsvw.exe	63
PID 1816 wrote to memory of 560	1816	mscorsvw.exe	64
PID 1816 wrote to memory of 560	1816	mscorsvw.exe	64
PID 1816 wrote to memory of 560	1816	mscorsvw.exe	64
PID 1816 wrote to memory of 560	1816	mscorsvw.exe	64
PID 1952 wrote to memory of 1016	1952	SearchIndexer.exe	65
PID 1952 wrote to memory of 1016	1952	SearchIndexer.exe	65
PID 1952 wrote to memory of 1016	1952	SearchIndexer.exe	65
PID 1816 wrote to memory of 2160	1816	mscorsvw.exe	66
PID 1816 wrote to memory of 2160	1816	mscorsvw.exe	66
PID 1816 wrote to memory of 2160	1816	mscorsvw.exe	66
PID 1816 wrote to memory of 2160	1816	mscorsvw.exe	66
PID 1816 wrote to memory of 536	1816	mscorsvw.exe	84
PID 1816 wrote to memory of 536	1816	mscorsvw.exe	84
PID 1816 wrote to memory of 536	1816	mscorsvw.exe	84
PID 1816 wrote to memory of 536	1816	mscorsvw.exe	84
PID 1816 wrote to memory of 1416	1816	mscorsvw.exe	68
PID 1816 wrote to memory of 1416	1816	mscorsvw.exe	68
PID 1816 wrote to memory of 1416	1816	mscorsvw.exe	68
PID 1816 wrote to memory of 1416	1816	mscorsvw.exe	68
PID 1816 wrote to memory of 1292	1816	mscorsvw.exe	69
PID 1816 wrote to memory of 1292	1816	mscorsvw.exe	69
PID 1816 wrote to memory of 1292	1816	mscorsvw.exe	69
PID 1816 wrote to memory of 1292	1816	mscorsvw.exe	69
PID 1816 wrote to memory of 2672	1816	mscorsvw.exe	70
PID 1816 wrote to memory of 2672	1816	mscorsvw.exe	70
PID 1816 wrote to memory of 2672	1816	mscorsvw.exe	70
PID 1816 wrote to memory of 2672	1816	mscorsvw.exe	70
PID 1816 wrote to memory of 2580	1816	mscorsvw.exe	71
PID 1816 wrote to memory of 2580	1816	mscorsvw.exe	71
PID 1816 wrote to memory of 2580	1816	mscorsvw.exe	71
PID 1816 wrote to memory of 2580	1816	mscorsvw.exe	71
PID 1816 wrote to memory of 3004	1816	mscorsvw.exe	72
PID 1816 wrote to memory of 3004	1816	mscorsvw.exe	72
PID 1816 wrote to memory of 3004	1816	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
"C:\Users\Admin\AppData\Local\Temp\ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1076

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 25c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 284 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a8 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 2ac -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 27c -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2c8 -NGENProcess 2a0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2a0 -NGENProcess 284 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 254 -NGENProcess 2d4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2b4 -NGENProcess 284 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 284 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2b4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 1d0 -NGENProcess 284 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 284 -NGENProcess 2ec -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f0 -NGENProcess 1d0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 2ec -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 1d0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 300 -NGENProcess 310 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 30c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 2b8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2b4 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2f0 -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 320 -NGENProcess 2b8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2b8 -NGENProcess 2b4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 328 -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 334 -NGENProcess 318 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 32c -NGENProcess 33c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 304 -NGENProcess 318 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 338 -NGENProcess 344 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2f0 -NGENProcess 318 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 34c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 308 -NGENProcess 318 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 318 -NGENProcess 334 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 354 -NGENProcess 34c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 318 -NGENProcess 350 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 354 -NGENProcess 338 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 368 -NGENProcess 334 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 308 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 308 -NGENProcess 34c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 34c -NGENProcess 354 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 354 -NGENProcess 318 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 360 -NGENProcess 378 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 380 -NGENProcess 36c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 38c -NGENProcess 388 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 354 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 398 -NGENProcess 384 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 388 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 384 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 388 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 36c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 384 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 36c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 384 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 388 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 36c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c4 -NGENProcess 3c0 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b0 -NGENProcess 36c -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3d0 -NGENProcess 3bc -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c0 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d4 -NGENProcess 3d0 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3b8 -NGENProcess 3c0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3e0 -NGENProcess 3b0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3e8 -NGENProcess 3c0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3dc -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3b0 -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3d4 -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3f8 -NGENProcess 3ec -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3dc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3ec -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3ec -NGENProcess 3fc -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 410 -NGENProcess 3dc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3dc -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 418 -NGENProcess 3fc -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3fc -NGENProcess 410 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 420 -NGENProcess 408 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 41c -NGENProcess 3fc -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 42c -NGENProcess 408 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 428 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3fc -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 408 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 428 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 3fc -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 408 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 428 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 3fc -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 408 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 428 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 3fc -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 408 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 428 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 3fc -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1ec -NGENProcess 218 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 1ec -NGENProcess 1d4 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 460 -NGENProcess 218 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 3fc -NGENProcess 22c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 22c -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:1480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2768

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:932

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 600 604 612 65536 608
  2⤵
  PID:2136
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1016

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
f83003552292b3bf2c87b1349b734a59

SHA1
a901e05b19f1df81938aa53af87df1d0353b4e29

SHA256
16f0241d9370c0d23bf3c183d17f244753806e1d93b57e2f76672eb63b00e2c2

SHA512
d84f7f5c4cb0116a0a3b0d3760d894eb8baf51ea2a1643822d7a68763752df3f05dbd3695bab2c0ceb0eafd161463b6d7783b07f271282121178afd925a71335

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
71f60754d043e632f5a0d5cd18aaedd9

SHA1
a420487d141788a7aa76ec01150c51483a86df97

SHA256
a3808816f08f7420a4ac4cc77029559d9fa19a3bb8029f3961492a51d596d657

SHA512
ed1d37f4f717790e8f14cac32791d284fb8894872e3cb19a6269cfa2a9ee32bb17b417bf419938d2ad23e18a2c9063258866d4f589683ac48e670af970d746a2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1c36e33e71317572d296758a879ed7c5

SHA1
5a224b34fdf7a266c8ee0ec57f3db4a7eca14404

SHA256
2076bc92b61d8642956248ca20d597adccf07371527cda003d295d13877a703c

SHA512
c656d410e5afb43d806cdce55710b3264eb455ab8cb7bc36be6fa0ae312563cb0150b966eea4a637cd01c5b0785ec64fa1cdd2fbb94d397a02ff1f756a5bf184

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
6d3aba967581506d39da26bce5811282

SHA1
06df336d9b33e32bedcee423373597e4f291388d

SHA256
7bd21bc1384b295e1e47f609e451d1ed9e2fbd0b128e8edbd2a69e163f64ebed

SHA512
5be333ffa15a7cfe6987698fad3dd3290a663e92708415db5dc26b46d20be0c8054f0d54e609553856e21d52237404aed3985bb2ba85d7de04acc6afa1a2ad66

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7b6a1b90a945564d958a46f2895dd6c8

SHA1
a73a7944d6a39dd22925e9692cd163b407f39e5b

SHA256
869ebdab6306dd1fce00ea3615c51a1262133a7c2f63af33175703cd7c07e41f

SHA512
02c1f918e73f68192a9116a06e900e0eb7d88848f9fb92b9197a9c1a38ad16474f3ae3cf413611f03d2b0609d653d162b98bd9750a0d83758216ef6476011cf4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
caa664e3b2c385a2a7c8d6e1cc96022e

SHA1
b0b9bb05fe801913daa90dd27589995aad61e357

SHA256
b65a5efafe17677b0dbc06e27a7cae1d6816e50ec4773ff00c99662f9c2daecc

SHA512
4677bd1f56a1bbd963b7610acd912aced433ce065f1883959643413346d97c3b36bc5e0aabe20c907ff0223b1a82a96fcf70223d6ab5214c8ec6eda9193fe60f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
0c3d750c3182cc6bc0f7aa3c509a99cb

SHA1
07dc2d4d5c408e5deef5eb1d994760799f1096a7

SHA256
a0f3e6e76e62a5595bf61c6a5ff7b2b7bcaca06bf431aca4d7aa47f773a246b4

SHA512
173637218f974ba106f590c44582322e6a4171e5d46c93ac543319183c57f3693c56ca5b696dff373413dcc1bee06970d50e9a83097b067add7e56fcee3cd3a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3a81a1176677f35e377cdc15979086ee

SHA1
d18295b49c1b105e6d4f90e5cdb8c8d34ebb08f0

SHA256
266ef2ec01d687dd765fa6ca60760e8943f47b10e9edb999edf3af398b8e53a7

SHA512
3e861c6db28d189b27925dc8e02fe8bf6b6f683c465c1b05c94329bb46cbf9804946ead6dc93d2f84c229b9f5992d1054c2d83859d6afd4ea194a6fe867eb867

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6bc2b427bcea84a425f84ce3e01ee2b4

SHA1
2833abf375d91f5297a6c111aab3051c1def1710

SHA256
de54895ce72999720d013e922356364de39810d035abf7887e12b7b1f0d8f96b

SHA512
3e02f291a170f71d9ed90bb6c49c91b66fd73553d7ace4c54fc078ced5d64c73a7d77672b0d4365943b575e3838f6bbf7f48f83baad0c20e48ee24201b2abaeb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
eb0f44cb0cb116e3a56ed945235096da

SHA1
c41eaacd18b0c9761ab47067dcd4435ee3a44490

SHA256
70124d4eb7bd71372514431293fdb4d358d17df0281c59f4fbe1fe638f8cf6d7

SHA512
d334f702132b6906762436bd6adf1fb521a0786b0047171cf21f7726080d5dcd7c7f740f7d0bb6111493a5776d32159ea36d043f680e81a4b2609594d17b8f71

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5c76331412088e99012920b30aa7f5ed

SHA1
db7387fbfeae372bddadf1034fd8273fe5cca3ff

SHA256
8379bbb47a1a80c00e6e434848e61b344058af0788c3b26930ee76e5567ec70f

SHA512
476676fbe59e780110c86393285f8eb1cac31fb3f7dc771b5016ad472c2f3320c8441841d890c4c19972c37c311f30d3bb035d36753d6b4db709fa02ba494f75

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
3a13a6e112b800464c43d93bee0a0736

SHA1
1ee0176bcd1d81a5b84df34ece75f9fbc21d3be1

SHA256
f28767132ddc612fa38c62960be8c289e2f780e10fa79ac2a6b5ea31be365cad

SHA512
b4a6d62ec723dcef958f0227c5469db085e82d48f63179ff10026989bd3ce6a65d987dc15cafb89155a6f6c560f88fc8d0f48b762d84e416454f996989645c3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
b956648041d47ebe52337132c7d54662

SHA1
54bbaf10083e12bf5ba868ab4539a944dd278360

SHA256
43f9476f9a3bba1d18f552a19c89233047e2962a77d22303dd9bce0332feaabe

SHA512
43397fdbef6fee72367851a5aac22fb9136edfdcc9eb58f286c4d0278c51705b86923173baa4784b0821f69d4dc2d4af4dfcee03f23deca3fe27fd46ec5f1ab8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
793258f2ad55ab72b943a342117aa98e

SHA1
fcd3ec0d37439815c5debc06828bd113957a2d12

SHA256
05f0cf5576aca90bb388a0e0d8d0787a49cc0f724a02e8e2636fc36b3ab55047

SHA512
a120b5f2ae06755a8b703139b888897c901d7778ba23a9730e9b47c820e3260e18c150f289f507cee2760196ccb2e8bcbf7c150b49a2e7383fcc974470babeeb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
051820e782c24c60b854364d3c3eb8da

SHA1
373c88b26cb9a7499fde1d48443a21c5d8f34481

SHA256
43ef06da52f146d4db0cbd2abf5e140ff4ea5ee17dc40e52cd35aacc7ce47a59

SHA512
ec882b166ca646cfb1f53742ecc05c572a6b332653504d31541eb94e2c8f734dd11bb60a3f6938f9138de5e5c22272055adbb71e14d116f4c799e805dbecaf2a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
4f703f39af955fb1e70a048d40ba1499

SHA1
e46a00293503e8248b4b9429ba9e91f8e0cbd891

SHA256
1555a07baf6dbe7869138bbed85b12588e3f70d9e673a9eca6a59ae191a90220

SHA512
e49a3599dd8362b3e20ab46c57c989360a4bae42f66ebf547df4a23b63d4bb25da4be4089c387155c6eaed90fb4654519766ec8118f7e3ed1c93bc30ef911f1b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
c9fcd33c1d65557fce6891c4edce2833

SHA1
e71a87589216109f2000953b2b185431415fd55b

SHA256
f134ec70b3e49feef0c57a3b1ea2ee061cbb0c3da50b7aa2c7b7ea8f83efcfe4

SHA512
94463904fc9ad47b973be69afd704204324b7564ce8a01b72c42ac2a3c58f747ac2230eba94ccf051844abd78530094c978148d84d82084023de84268a91f3dd

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7e4cd879fb4b9b3339e83adc4bc18ab8

SHA1
d98ab5dc294bc415804dba651dfebd96ae65d966

SHA256
7eeb4dfa86c9d18b379df8021764012d2b77ad7e44ec40f08bb0bfbbbfce2bd8

SHA512
9d271f98aa8d3dbe18a49f83ad0710a019a70bfc0f39be0bad3880f6ebc84ea687b9a90fa8a5d8bc1c9ce1d5d99126f892cee97758fc99c9ab324d25fc3905a7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
28ed07b81f34c2ed6ea4937da85e175b

SHA1
1ae78a6fd1bfcb49a5f33917c5ddf713f67dfc9c

SHA256
4206590c3988a9c4ea561fe72b7827c9dedff78a5a5467312ee95630c5e7a9bf

SHA512
18d7d60287e910669fe257d842f88a7d259122af142c91b96a51591d9e1ebf92b7fa0506c819a2b5d50ab004656825364fda8c4de79a4064854d88e369d8c2f5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
f1f815e0bb213d15f9439a79e9430207

SHA1
48cd508bfc407767bd06fd0032d77013a8eed1b6

SHA256
2ea75e4f051238a77d0ed4c986696e1e20c833e52c5a56cfe0a3cf906cd27feb

SHA512
ed1042e2c140ada54d5181a1a383bfce97d87f77fab92de6d2c272980e0ae6607295e8d72ee083bac1c73bd9852aee0637ea13e50c3adc10b3538d177d86bc09

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
269c70dd7603f46a3733b1b3dc099e1a

SHA1
66a4297d8fcb87db6c7d32ed635601fd7a5a6f88

SHA256
40e6e01500a42d8b5a8e3c7f420a3a3c1a41528678caf83fde8bd6381cfd2fef

SHA512
03d3aec269f69a847ef457d07d5d295ad663bf5805ecd23d5ef7ec129bc47fb6ff17143a09308a7bd7dcedbcea4071bd0e3678f04295b62cf57ea5062a739059

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4cffbd6c354740026d7a3a29dd63e3bc\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1fa4c663eb7f4f3f5e7547c8d2849c90

SHA1
7a2e4dc0eacfaab69d5ddfcbf9fcec8ff55b035f

SHA256
3febbc6242bafabbb51659ed696758cc75dadcb7ffc8217b8a032590d97d9166

SHA512
3a40a81785cf707abfb6b5f88b98e6cf413391b4098d1199a1cb7f030fa2e45c3c8502ae6baa7ff56f1476ee700d5f126c14a99433802a1dd328cd66bd9dfdd9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\892dc2e569c75e7f14771ba4ece6f3e8\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ec2cf11dcd9a5c4771f71baccd4c6a96

SHA1
9acb2d6f8f70403b94849e99b5b99c318d05a44e

SHA256
05c9efe096caa30e6054aea740057aa2bf1b6f966dfaca44790796cd3c609959

SHA512
3a4d72fef8a0de42185574204e1a9fd804ccc5dd072338a7239f584f109b42339c39fbdbd7892c8a858cfb11ec373da1dc81ff6db6ba4a740b3407701dcacd1f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\af134402525e5abb1298d71f14c4496a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
ad8430648ca5c266212180655ca032a6

SHA1
1febf5f0c37c5013e96121a95e976b2acb6e75e2

SHA256
8720903f10bcc1741ee769abce48bd02752acca73d97c69fbba7e2dce6b2bc25

SHA512
12688c74f54ea20255ed6a7943d0b1e1230babdc0d3b4575329cc9b21e585e84e3b7010d50c15fdee059633b95b5eb62d3f9d6cffce1a19df3c61dec380ccaef

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b15bb694e41e30ff1f65a6ba8cdbdbfe\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
18c1ae726921b97699c0971d078b3a1f

SHA1
68f2d19cd4c2c8bdc61e4a1fb83979048565f177

SHA256
fa892a6759d93a2e80c733844b1d9bc33da24e231548b79fdbd10d4c34dab2a5

SHA512
e30b33a7f93cb38f2067be64dcc3dcdccfdb532ca5e38b682568ff5e35321cf6d862cb770305482e0ed9fe40a22059bd1380940f04ecaa97945d38d24fa5123f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
381d12b7024ac0b2c6f2a82ee44fcd1f

SHA1
20125f83c36f53b8603871889c6b72e4841f2ea1

SHA256
96b176ebf939f310ff554aff50f6a4398c91dba8878bd54f8adaf9cc86d6e3aa

SHA512
f9faab05217b09b61bcbdef1639eaae1f4dcee8222d89979c6a2940b3f7372f8f034ff491993042d05886243809929fe891df57798443fda50eb60d5637302f0

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
dd58e21f4acaa9191c0531e663109b87

SHA1
61db53dddac254fb0fba835d71d314fe706d6162

SHA256
60e2e98a8b1b42b0fe8e6db26079e818450a650359a69fbc476e40274b972fa6

SHA512
a45418500acc7fde68ba26c93fa8ce47f69dc60fb14c295f8ad697d241b2ea2361528fbdc112efcc6fcdee4217fd201c4820b71c78064a0fa0dbeb430c7e5951

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
b0bf81501be997892097b0d1d3d74565

SHA1
8e2010374d6d8c457c050ba2a942b6e623419381

SHA256
c697c6f7230b354178f76a119a4978c4d2525518f45f43571341879c320cdab0

SHA512
5bd7f927e1ea045c4d2bf37fa57ccde1f1479b59f961a479250db8506f30712cd89acd21dbc4fb1f0940c3056a873802e18989b7095c7d72afef93969127b70b

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
166524ddcf049136902cb90d8cb56b05

SHA1
b79a19b482086f2198fdab127138a9cd4ab06355

SHA256
1c1cebd5f3fa31c92708dcd5937108f8299e747a5fdc1b5ce75ed2927eeb4081

SHA512
633d00a1a7a1e8da03a26509c00369842aff6b7a1ee0de84a58df8ca7e64cb72a2a78aa93e5a0663b6365c291e29fe9c856fa7f88c7c95ecb95f800a34e38b8c

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
8145d4d046711ee7fb9bf7e4ea6cc4b8

SHA1
affb2fb45468c507b4abcfaa77a6d64d2779170e

SHA256
bf6ed0b376ffaf1cab4103901533bf5cd2fcaa50e01648c7ac5b14ba9323d5b6

SHA512
b308f9712be214f353a6c60e8bce5c432d45b19e2b3c8f5c136404a468ff5020d6eab513d7bcb5aadd8af2a478e1c2527a89c142d7c30c979fe906a80050ff67

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
06f6a1f424686fd7ea0f07b05f4c786e

SHA1
60888d9b0b982864e550c278f794d26906329133

SHA256
e97d324e156c52dd0933a37610c4810d9a8d64bad7dc49b11b9718d848487a54

SHA512
ec1f3b937b0cc51e3f2b18738c12bb1c0ef74c6dce822682b97f2aad459b7fddec31de0e4e737b4597eafa49da8034c5741b6d0f1ce8b0ddc95aebd928fe158f

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
de77462ad32a925994a7cb04050f5508

SHA1
289f14f712f0ab8ab9fff9b21eac1e80786aa1e9

SHA256
65acadab44de07629aec7f5ffec59e5da6c7fbc5abe050ab61968f2e66aacf89

SHA512
169aedaa2acdd09ffb821c09f03ea684adc3a561af48e0e6621f3d9a1680b6599d1aeeb7a69790eefeb9cac114a7df423aa21932256440aec82b00e816792030

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d050263ad6307322c22e39e18aa9bf1c

SHA1
341c18f2a65ffce737c1e6a554f8c8ffed2c4520

SHA256
e029499a9032e5d2149e72a3aa4afc9acd9c0e713abfd47fef9dc82124a70f35

SHA512
a84c44002a74d4a7dfe24bce6ff845386706d9fb57650060e9dcda33e17c2dea9c923bd2be91c8a0ae539b3bc73785d983309628315048779599f264be1937e2

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
6c2d19be23e1b8777d97db9b9e3257fe

SHA1
781cb3d0ac4603ebeeb3a16d8c76ff002b2f39d7

SHA256
4a917e9189d3eae148c1983fdb1c7831dcc49890d2c746936c5d1b51463843cf

SHA512
08d5c4eab13e3c719be7c14b90a29b207537c082891c84e004d5fd139c776f6bce5354af1af7def565474cdfa04e2ea3c9c5581db2f584558a66da275aaf43d1

Download Submit
memory/368-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/368-138-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/368-132-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/368-314-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/536-659-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/536-662-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/560-618-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/560-645-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/564-402-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/564-385-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/644-851-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/644-854-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/888-506-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/888-596-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/896-833-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/932-352-0x0000000100000000-0x000000010012F000-memory.dmp

Filesize
1.2MB

Download
memory/960-793-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/960-789-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/988-786-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/988-775-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1040-349-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1040-189-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1076-111-0x0000000010000000-0x0000000010139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-98-0x0000000010000000-0x0000000010139000-memory.dmp

Filesize
1.2MB

Download
memory/1100-331-0x0000000001000000-0x000000000112F000-memory.dmp

Filesize
1.2MB

Download
memory/1276-94-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1276-85-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1276-277-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1276-86-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1292-688-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1292-684-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1304-176-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1304-182-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1304-184-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1304-336-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1416-676-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1416-672-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1708-150-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1708-162-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1708-325-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1708-161-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1708-156-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1708-149-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1736-816-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1736-396-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1736-836-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1736-492-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1756-371-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1756-658-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1808-355-0x0000000100000000-0x00000001001AE000-memory.dmp

Filesize
1.7MB

Download
memory/1808-617-0x0000000100000000-0x00000001001AE000-memory.dmp

Filesize
1.7MB

Download
memory/1816-305-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1816-119-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1816-124-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1816-118-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1952-427-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1952-716-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2060-818-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2076-696-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2076-414-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2084-620-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2084-597-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2096-169-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2096-163-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2096-329-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2096-172-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2116-351-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2116-401-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2160-650-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2160-642-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2208-264-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2208-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2208-171-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2208-8-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2208-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2212-641-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2212-366-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2216-298-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2216-370-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2332-327-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2332-418-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2380-394-0x0000000000690000-0x00000000007DC000-memory.dmp

Filesize
1.3MB

Download
memory/2380-306-0x0000000000690000-0x00000000007DC000-memory.dmp

Filesize
1.3MB

Download
memory/2380-382-0x0000000100000000-0x000000010014C000-memory.dmp

Filesize
1.3MB

Download
memory/2380-303-0x0000000100000000-0x000000010014C000-memory.dmp

Filesize
1.3MB

Download
memory/2496-505-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-338-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2508-489-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2508-504-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2532-290-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/2532-295-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/2580-741-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2580-717-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2592-126-0x0000000010000000-0x0000000010141000-memory.dmp

Filesize
1.3MB

Download
memory/2592-107-0x0000000010000000-0x0000000010141000-memory.dmp

Filesize
1.3MB

Download
memory/2596-53-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/2596-188-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/2672-697-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2672-718-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2768-322-0x000000002E000000-0x000000002E14F000-memory.dmp

Filesize
1.3MB

Download
memory/2768-412-0x000000002E000000-0x000000002E14F000-memory.dmp

Filesize
1.3MB

Download
memory/2940-268-0x00000000003D0000-0x0000000000430000-memory.dmp

Filesize
384KB

Download
memory/2940-276-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2940-354-0x0000000100000000-0x000000010012E000-memory.dmp

Filesize
1.2MB

Download
memory/2984-384-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/2984-671-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/3004-740-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3004-755-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3008-756-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3008-764-0x0000000001C60000-0x0000000001D1A000-memory.dmp

Filesize
744KB

Download
memory/3008-769-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download