5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Size

4.3MB
MD5

70aeafe4eb901ee040eb4a15196b4aa8
SHA1

3c0b9b13495c0475c3bec4ba7e9a4dced77f99c1
SHA256

5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb
SHA512

cfd2d8bd90bb532f1891583117eae7e4adf8dd89182e2a0335eca80f7643b30672959e47a98ba9d89ed0d102de6ded480887550b9bb9381f39389ab789abf3e1
SSDEEP

49152:+KKxeyjA45RD50kBSbxR+DOblWylRrlV/cu5UZLikDepLNiXicJFFRGNzj3:WEyj90kBSbxR+DObf+Av7wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2576	alg.exe
2488	aspnet_state.exe
2324	mscorsvw.exe
2424	mscorsvw.exe
1028	mscorsvw.exe
1508	mscorsvw.exe
1764	ehRecvr.exe
1908	ehsched.exe
936	elevation_service.exe
2732	IEEtwCollector.exe
2928	GROOVE.EXE
1548	maintenanceservice.exe
1088	msdtc.exe
1900	msiexec.exe
1372	OSE.EXE
3000	OSPPSVC.EXE
2716	perfhost.exe
2448	locator.exe
2776	snmptrap.exe
1640	vds.exe
2784	vssvc.exe
764	mscorsvw.exe
836	wbengine.exe
1388	WmiApSrv.exe
2228	wmpnetwk.exe
1528	SearchIndexer.exe
880	mscorsvw.exe
2800	mscorsvw.exe
1548	mscorsvw.exe
2408	mscorsvw.exe
2900	mscorsvw.exe
1212	mscorsvw.exe
2376	mscorsvw.exe
1428	mscorsvw.exe
3036	mscorsvw.exe
2356	mscorsvw.exe
1164	mscorsvw.exe
940	mscorsvw.exe
1728	mscorsvw.exe
1308	mscorsvw.exe
764	mscorsvw.exe
1664	mscorsvw.exe
2416	mscorsvw.exe
1216	mscorsvw.exe
2468	mscorsvw.exe
2804	mscorsvw.exe
2364	mscorsvw.exe
2300	mscorsvw.exe
1096	mscorsvw.exe
1216	mscorsvw.exe
2152	mscorsvw.exe
2364	mscorsvw.exe
2552	mscorsvw.exe
1928	mscorsvw.exe
1496	mscorsvw.exe
1244	mscorsvw.exe
2440	mscorsvw.exe
1412	mscorsvw.exe
2040	mscorsvw.exe
2404	mscorsvw.exe
1476	mscorsvw.exe
1432	mscorsvw.exe
1316	mscorsvw.exe

Loads dropped DLL 59 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1900	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
744	Process not Found
1496	mscorsvw.exe
1496	mscorsvw.exe
2440	mscorsvw.exe
2440	mscorsvw.exe
2040	mscorsvw.exe
2040	mscorsvw.exe
1476	mscorsvw.exe
1476	mscorsvw.exe
1316	mscorsvw.exe
1316	mscorsvw.exe
1888	mscorsvw.exe
1888	mscorsvw.exe
2676	mscorsvw.exe
2676	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
696	mscorsvw.exe
696	mscorsvw.exe
956	mscorsvw.exe
956	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2504	mscorsvw.exe
2504	mscorsvw.exe
632	mscorsvw.exe
632	mscorsvw.exe
1172	mscorsvw.exe
1172	mscorsvw.exe
2628	mscorsvw.exe
2628	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
2172	mscorsvw.exe
2172	mscorsvw.exe
2728	mscorsvw.exe
2728	mscorsvw.exe
1036	mscorsvw.exe
1036	mscorsvw.exe
2468	mscorsvw.exe
2468	mscorsvw.exe
1212	mscorsvw.exe
1212	mscorsvw.exe
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\System32\vds.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\715c2b29ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\System32\alg.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP362D.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBFD6.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27BC.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP69AB.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3073.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C6D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP56F6.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAA24.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4CD9.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2552	ehRec.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2488	aspnet_state.exe
2488	aspnet_state.exe
2488	aspnet_state.exe
2488	aspnet_state.exe
2488	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: 33	828	EhTray.exe
Token: SeIncBasePriorityPrivilege	828	EhTray.exe
Token: SeDebugPrivilege	2552	ehRec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeSecurityPrivilege	1900	msiexec.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: 33	828	EhTray.exe
Token: SeIncBasePriorityPrivilege	828	EhTray.exe
Token: SeBackupPrivilege	2784	vssvc.exe
Token: SeRestorePrivilege	2784	vssvc.exe
Token: SeAuditPrivilege	2784	vssvc.exe
Token: SeBackupPrivilege	836	wbengine.exe
Token: SeRestorePrivilege	836	wbengine.exe
Token: SeSecurityPrivilege	836	wbengine.exe
Token: SeManageVolumePrivilege	1528	SearchIndexer.exe
Token: 33	1528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1528	SearchIndexer.exe
Token: 33	2228	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2228	wmpnetwk.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeDebugPrivilege	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeDebugPrivilege	2652	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	2652	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	2652	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	2652	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	2652	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe
Token: SeShutdownPrivilege	1028	mscorsvw.exe
Token: SeShutdownPrivilege	1508	mscorsvw.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2652	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
828	EhTray.exe
828	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
828	EhTray.exe
828	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2652	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2652	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
2616	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
1428	SearchProtocolHost.exe
1428	SearchProtocolHost.exe
1428	SearchProtocolHost.exe
1428	SearchProtocolHost.exe
1428	SearchProtocolHost.exe
1428	SearchProtocolHost.exe
1428	SearchProtocolHost.exe
1428	SearchProtocolHost.exe
2616	SearchProtocolHost.exe
1428	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2652	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe	28
PID 2772 wrote to memory of 2652	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe	28
PID 2772 wrote to memory of 2652	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe	28
PID 2772 wrote to memory of 2652	2772	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe	28
PID 1028 wrote to memory of 764	1028	mscorsvw.exe	75
PID 1028 wrote to memory of 764	1028	mscorsvw.exe	75
PID 1028 wrote to memory of 764	1028	mscorsvw.exe	75
PID 1028 wrote to memory of 764	1028	mscorsvw.exe	75
PID 1028 wrote to memory of 880	1028	mscorsvw.exe	58
PID 1028 wrote to memory of 880	1028	mscorsvw.exe	58
PID 1028 wrote to memory of 880	1028	mscorsvw.exe	58
PID 1028 wrote to memory of 880	1028	mscorsvw.exe	58
PID 1028 wrote to memory of 2800	1028	mscorsvw.exe	59
PID 1028 wrote to memory of 2800	1028	mscorsvw.exe	59
PID 1028 wrote to memory of 2800	1028	mscorsvw.exe	59
PID 1028 wrote to memory of 2800	1028	mscorsvw.exe	59
PID 1528 wrote to memory of 2616	1528	SearchIndexer.exe	60
PID 1528 wrote to memory of 2616	1528	SearchIndexer.exe	60
PID 1528 wrote to memory of 2616	1528	SearchIndexer.exe	60
PID 1528 wrote to memory of 1636	1528	SearchIndexer.exe	61
PID 1528 wrote to memory of 1636	1528	SearchIndexer.exe	61
PID 1528 wrote to memory of 1636	1528	SearchIndexer.exe	61
PID 1028 wrote to memory of 1548	1028	mscorsvw.exe	62
PID 1028 wrote to memory of 1548	1028	mscorsvw.exe	62
PID 1028 wrote to memory of 1548	1028	mscorsvw.exe	62
PID 1028 wrote to memory of 1548	1028	mscorsvw.exe	62
PID 1028 wrote to memory of 2408	1028	mscorsvw.exe	63
PID 1028 wrote to memory of 2408	1028	mscorsvw.exe	63
PID 1028 wrote to memory of 2408	1028	mscorsvw.exe	63
PID 1028 wrote to memory of 2408	1028	mscorsvw.exe	63
PID 1028 wrote to memory of 2900	1028	mscorsvw.exe	64
PID 1028 wrote to memory of 2900	1028	mscorsvw.exe	64
PID 1028 wrote to memory of 2900	1028	mscorsvw.exe	64
PID 1028 wrote to memory of 2900	1028	mscorsvw.exe	64
PID 1028 wrote to memory of 1212	1028	mscorsvw.exe	65
PID 1028 wrote to memory of 1212	1028	mscorsvw.exe	65
PID 1028 wrote to memory of 1212	1028	mscorsvw.exe	65
PID 1028 wrote to memory of 1212	1028	mscorsvw.exe	65
PID 1028 wrote to memory of 2376	1028	mscorsvw.exe	66
PID 1028 wrote to memory of 2376	1028	mscorsvw.exe	66
PID 1028 wrote to memory of 2376	1028	mscorsvw.exe	66
PID 1028 wrote to memory of 2376	1028	mscorsvw.exe	66
PID 1028 wrote to memory of 1428	1028	mscorsvw.exe	76
PID 1028 wrote to memory of 1428	1028	mscorsvw.exe	76
PID 1028 wrote to memory of 1428	1028	mscorsvw.exe	76
PID 1028 wrote to memory of 1428	1028	mscorsvw.exe	76
PID 1028 wrote to memory of 3036	1028	mscorsvw.exe	68
PID 1028 wrote to memory of 3036	1028	mscorsvw.exe	68
PID 1028 wrote to memory of 3036	1028	mscorsvw.exe	68
PID 1028 wrote to memory of 3036	1028	mscorsvw.exe	68
PID 1028 wrote to memory of 2356	1028	mscorsvw.exe	69
PID 1028 wrote to memory of 2356	1028	mscorsvw.exe	69
PID 1028 wrote to memory of 2356	1028	mscorsvw.exe	69
PID 1028 wrote to memory of 2356	1028	mscorsvw.exe	69
PID 1028 wrote to memory of 1164	1028	mscorsvw.exe	70
PID 1028 wrote to memory of 1164	1028	mscorsvw.exe	70
PID 1028 wrote to memory of 1164	1028	mscorsvw.exe	70
PID 1028 wrote to memory of 1164	1028	mscorsvw.exe	70
PID 1028 wrote to memory of 940	1028	mscorsvw.exe	71
PID 1028 wrote to memory of 940	1028	mscorsvw.exe	71
PID 1028 wrote to memory of 940	1028	mscorsvw.exe	71
PID 1028 wrote to memory of 940	1028	mscorsvw.exe	71
PID 1028 wrote to memory of 1728	1028	mscorsvw.exe	72
PID 1028 wrote to memory of 1728	1028	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
"C:\Users\Admin\AppData\Local\Temp\5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
  C:\Users\Admin\AppData\Local\Temp\5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe ACBBE53A-E474-4D18-A5CE-B80EA7F71E43
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2324

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 260 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 26c -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 250 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 25c -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 29c -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 26c -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d4 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 23c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 120 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 120 -NGENProcess 26c -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 1c4 -NGENProcess 27c -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 27c -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a8 -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c4 -NGENProcess 26c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 29c -NGENProcess 254 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 254 -NGENProcess 2a8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a8 -NGENProcess 1c4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c4 -NGENProcess 24c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 28c -NGENProcess 29c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 2a8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 24c -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 2a8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b8 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 28c -NGENProcess 280 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2c0 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 294 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c8 -NGENProcess 280 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 280 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e4 -NGENProcess 26c -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 26c -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2ec -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c0 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f4 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2f4 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f4 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2f4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 30c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 310 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 380 -NGENProcess 30c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 384 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 370 -NGENProcess 364 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 370 -NGENProcess 384 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 280 -NGENProcess 364 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 398 -NGENProcess 388 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 384 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 384 -NGENProcess 280 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a4 -NGENProcess 388 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 388 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3ac -NGENProcess 280 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 280 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 370 -NGENProcess 3b0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3b0 -NGENProcess 280 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3bc -NGENProcess 39c -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 280 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 39c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b8 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 280 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 39c -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 280 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 39c -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3b8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 280 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 39c -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2244

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1764

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:936

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2732

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1372

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1428

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
3164e5a5c3163a0221a804bcd285ef6d

SHA1
0b3fda43319685e3325d80e759ca21ec71bc1e58

SHA256
15fc117547391b363a83db29e4eb678399683cd812be0cb44a378772fa12da17

SHA512
25e6a0d455542b5909c67a5ac73a75a57a350ed091c0c272514cc74928c9a7cc046c50b5e4e3e5e190272ee963da956f8975685f1cb2aa966b3d348656ac4433

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
730d0bf2bb6189d4ca91aa60aad13d1c

SHA1
8f3d4d08b5da96c378a484608deaf9e1da976cb5

SHA256
8b5e71f0adeb19c93d74f28431b5f8090ddbfa7842b234f9ab0ee7e0af845882

SHA512
45326c2aa35ebb9b99d6d5ef956cca74ee1df1ff0d21737ad795071b379c7f9585119168c35265c5d8a800eb3fb032b1090fd89e1b27375f563651199e55073e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
67050d6a1db349fa29b7964cd4d7acf7

SHA1
cb148eb440016b6b14ffee6fc239e8aec68b89c3

SHA256
3eacd81c5a0de9ec1ba19194d43307295d7eda9f915aa5a2566459baf2cf31bc

SHA512
79d6ed0763632070cec403fcb2360b76dd1371f36b756bbcb9a8800e67ff7acdec628023ba77eda1abc2abfb23c07a9a81a11b5789066324e8e5b40f92588bc4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
30fb542d3de33cc13f148d98d2eeaab6

SHA1
59dad9416d5d210dae3f2067746e721f1a26fe37

SHA256
e54ad94821837dccb74bbea87b832f2df451977ae8f9656c5d2bf74ddfa65979

SHA512
9ebbc98dec13415b4198e14cc2d9aaa7bcbe2df80a225e5967258de105810224416e2920bfba587cd29f4cdb18a0e570679958ba858a0f33766f9ec190f8471a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b287f5427c37f66d1685db61c3c1456d

SHA1
922a7c6d6604dd8902047634a209e97a81c87dc3

SHA256
94bcc297b9f7d3c67a954d1d66d8577f0fde18a053a491de84e7e7e7a8475b16

SHA512
8c6052b37f226fde624e28e1bd6857d2be28a685b8eac7bc753e519720e081c967213c0c569e44f8c3e1d99ad47f170da0c09cbc3b4b0f52f6263a71959641c9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
2411f92f69031cb3ab57c46944185ebd

SHA1
3226a74f0eaf50413086cfa10299e20c30aa1b06

SHA256
db3e9777747ddd590c161800c1ec5d8c02a67b8c545abaff9553ccae87175ba5

SHA512
af012d640f41d82d279c3c5b86e6de335f101f3f081b5f0285fde2ffba4985d4093f805bdcee15376b7f2b004a327eebf410b9ee29699a8c9d0241b1890bfe01

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
6f4f7ec4d78d80a6c4bca9c11461667a

SHA1
cf4897e103fb90201d617c1a44e2e65770129370

SHA256
c900926ab31aefd9357c5b9131e775dee2cd9ec33142ba227dc0500bc1479535

SHA512
1b38418f28f18f336913086aae69aaee3d4406a5744740bc868e3d8a2af3b8028bd1cc2b7268452b8c8317019b49351d5cfdcb2e838dcef551e768ebf7dccea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DCEAB0797B1061F5E3B4B9B95F67D16.jpg

Filesize
2KB

MD5
4b5ee46e53e1c499f2f14931290f7add

SHA1
13c431620c76e9ac6dde80d6c73fb5da8b83dd58

SHA256
ece51829e895dc38af0f847a6ca081f8e140fc694de1f41fda050547e6acc9e8

SHA512
b008d638163498f88e5d6b0b2b3b21218c22a9b1b29433de067643061738c430264cac055b6dbdf9dabe48be6ab39105cdf8662e4a3fe1f483b55a84eab46851

Download Submit
C:\Users\Admin\AppData\Local\Temp\UninstallBkav.log

Filesize
492B

MD5
19f60f291f4fa504014ed01f78d9acdc

SHA1
65c8347a557da71499608fa7069bdb017e82d268

SHA256
50304df6c913eade531d79c7b21497338cb04b681310c79c71bf2429835162e5

SHA512
6d087804aed50e228e245d3ddb1ad8b0ea71ec51e81edb0c26fd899e29ace092f48ed4918463acb67d4c487254e0fe4c70eb47886ec53a40a893617ccce1dd17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8ef5c3ce0ef7e029d0d4f4133c41b2f8

SHA1
741c77ddf6674e762f0053a3b1366946f563a0c2

SHA256
17d083358392810ca075ea3ea26c6dd8f266479c178243f7e036c220d5852de7

SHA512
ab17d1b384509f0e4ff4a6cc5ccbf5475328be3c7e585f5d042cc7a7a2ba8479760d0067fe273190fa7af8002a9d4719da8fb11776df7a39c522079403355095

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
43bc06f74a374bca9d1b9b8179c1c305

SHA1
6d2959cd2c986f81db14b0102fb021c9fd2c9093

SHA256
6df7924d7f258155193cef3a3f3b3e11a9e65123508e46abd1f6d946e34abc8d

SHA512
db61276b65b82e72a8578a01211af9138d29cd09a3bee19b87071031ed695583acf9d99e6585902030b489ea966ee8808a2aa5fa53755e38c058a012d2c3ea1f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
2074f707b390473e908549efe42dec75

SHA1
d7f24882b087efb67008bc34eba7099b342db7cb

SHA256
c0b62e33bf0cddf55c624f6e103230a6786652b8693f5a00459ad4f2f07be86d

SHA512
ce61686443687a5497ae2d7c4a20001f257d3a1bf1deadb0a7f07e74aceab71f6c5d4ad1b1e1c2c0d5a3e26b36b9ee63b4a8a6f77fca6bf29f75765fad3e30d9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
c0a96782e09e3eeb115707be26bd3905

SHA1
9c7337ed8fab690db1f5990954399d5e3718389f

SHA256
0cf5a736b95d72b319d76467b25e75a20831870163376aedb648158745b831ec

SHA512
62289ff597222736babf44d4426082cfb54ac01f925a22c3e310f624269fb2537119941ca4f63913227802320f9f8cc960adfa89e07af28f63be0e6f12cf3f3c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
54ce820c4939884faea82679757def2b

SHA1
bd3e497438670496ff5d5a38027a325028db2351

SHA256
26bdb50eb4291eea7cdf16826d8b5c2dc495303bc41e81eb9ca004683bfee02c

SHA512
cb8eb95ef722ab418f9bfa23dd41128ada3303a036272601cf44048f14a121306fa5f8466b04dbffd7b952224842013d2268f61206b06a34c6ddd4f805568e60

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
0a5b7e91153e3385e573daca33438ea7

SHA1
1726b255fb4d52974e6d16623069bcfa84b07145

SHA256
6094707abdd436e3f28daab8dc01591566916c45dc0e781a885d87afa00bbcf4

SHA512
aba486962b18f05b5a1edfad17022c3f2c9e55d056bbcea880937a6bb4472c6f2dd3fc6967657f2272b1567c21a59eff30039536829a4928385fd1c5ccde3bff

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
1b851eb1d8e7b138429ae3f792cf85b6

SHA1
c9d17e468fb3e06930fb0ad88b670e774a3c03f5

SHA256
dddbab0b34db7e252db899804ec4db65a8016b8b00bc017bb2cdd3851769f68d

SHA512
c210319fdea824821164ab4248e637943b349b480d2bc299e6ec5815d548614625707ac10d22cb928a343daff5ea1309a2fb4e7b0affecf39d067e85faf55159

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
dab2f2ba77ff0774a2c0cb154af65ded

SHA1
d395719bf6e6a02636c6d0f7859cbf0398ea0844

SHA256
6b742d53c29089c17f9a10bf664e2d50a78e3938f896f1c545a77f9c12f7e30e

SHA512
7a0831c514c112b4c93701a8ad0a776004901600d2249eba32ffe6e76a78d4a5350773538b392ea58c2f66751839731a803bee20d3d25859d226af11d5c400bf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
494cd2c492178ecc076a871b05538096

SHA1
22e2e83a658a3f1a7178ebe29cde2be39190eb65

SHA256
683e6e718994cc82c2a9504800f3939beae472a7f448614b911cac99826478a8

SHA512
3ebd4ff59cfb95d2f6a956171a66aabab3978d328bf4a1a7ddac3560435fd84fc3c72d494590b3475a6dee48545a9cbd38c5e30f8d52c115e516fa79a86a8e55

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
d304f12c32a9028a0d6dcac5966a275c

SHA1
4115bde2fd83b604b2ba38b8855cff3863bb7041

SHA256
18da44e3787a5f3036ee42babbdffd0ee13d954adf262bfae2270067c66bd3d7

SHA512
1aac5fd9319878e68a47d77c46fe4f9512348e84d457e48be577fb74ab1c96b92f1a733f59615b79da0da080e91f0ed17bc08ffff371e602b977b1c2bfeee1d7

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
054435a9ceb95409de72759e96995724

SHA1
0307eb77588659180ebceade22b1ec28f209af0f

SHA256
8c31dd88b8ee9be74f594c740bb5710d838dd9db593b1991c8ad29515b9c0246

SHA512
123855d0a25f1536834f55f193d6bcdc0c2241b36846d2aa7d44371cc7b4812c42ac827c9732863d9193a77b442946b53db98dc512e0fdc102738b290d071641

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
358442c5d489a1955ce6769b256aa0cb

SHA1
7316208d018c4ea9ecafcf36cd571b409f101aee

SHA256
ca2db13bddd4cf3a262687b16810a6b4b9740dcd9bf98c5903efff6d08398582

SHA512
f2487df0ff27b4b5af687b71f575c9778fa5950c9a62b9388bbe98d7da100d3b2a2a75c5a2624793b5ee776629ac30baddefffca720c1c313311b6bc13c63e44

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
3331101b17ae26e7d2163072e02c9f5b

SHA1
984a40929772d718899c4a7a15964dba1910dfcf

SHA256
7d34fe4b13d5c152c1b59215d0446458db27ec56c7b86a3feb6b176aeb4ade1b

SHA512
e18428caeb74176ca32dcf1dc17c9096d0d4c639bd491793206ab10c2e30a3561007e52986a92dd19f3d8286842eb9c49474ca210989ea6ac35f2b41af1ded2c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
080aa9777cf5e9759597c9ff5049afb2

SHA1
b395ac759b1be6eb3a3325190c90a28f112122bf

SHA256
4b38053c8806852d52e97e6439b396de7ddf4b29dca198677571776c79bbd536

SHA512
f0179af9e11c64a3d4924df190f2d81ffbeb04ff06b59a3dcc197f14dec623c0d73cdc21f08a0b1ebc565ef10e6187d035f4f1f68ba66a0f0b4455270defcc6a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\10d84d1aaaf876c96f85b0d1a9462cc8\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
2b80587f36d803ab5b2c80e39846e550

SHA1
f92a50fc2a4d4eeb5e6ce7d8cfbe0e3770df3372

SHA256
843083a24116f498117334051e5c9220aca0b38c66b503904bbc036c106b45ed

SHA512
e7546ce786aab003d14c802bef4e741e60a42e705a71676ae7f0672b0b7c6b952f18d4ebcea77b004e1e131b9a15112b88d70ce0de23ad476f21ff924142b782

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\54ba26779e6f2075f91293f4f81c2fff\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ad8c0e759df25e0049d44e5aba4f3321

SHA1
4e1e19b1b5602937057170bf390db0091899af69

SHA256
4c31b7d8501b8914425568b1c3a228aeafa35b6cd6bfcd9cf55dfa511a71ede7

SHA512
f23471c6371f3828002e2ff168013cc01d7744299bd14c7d2117bc39261a9d10cf3bbbe87af08874990a2e20998ec7e3208bf16659ef9e895147e854509f88c4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\772a83b7ba5a7a293f67e8f8c3facf63\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
d37f5757a18d166633cd277586cf68b4

SHA1
a7fd3d352c6104a75345ad087de3d13c2622bd13

SHA256
efa44d8df063b605003041997d15de67a92e1b79917131d4bd6a0759bbc65a82

SHA512
9e7179c6fc71a0d3b36f2fec5df780cad98556aaf4bff215b31bdd39744c8293a266322ef1d6ebf46881a4fbb60f68b5e3843d9fc0edf8fd594a26e5254ec16d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fd8bf7f7349c342d9f9651f559f17928\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
4a8ab93b7a1c4d56858d26d1baf76b3e

SHA1
5e677a6ef4fe41134262dcc0f32ff4d3de316654

SHA256
4ad17ab758807f64a8f4f1879d2d5961eb9295aadb7d5a5e1a7efe946a17de4d

SHA512
c48ff8b5ea40b18763607eb40bc639f6e01ade5ff61c48773ba68c753c6eedf0e7f0c4daa82389f94f352bf1c03bec3c766182041c0f1bbf22ac08792d8abcc4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fae6ffaf5657607fabd673ddc47eb834

SHA1
cd916df35304c4b5970c075bdbca925dc801517d

SHA256
738dcc0db87ead1fa4778fc9aae5cef4705ee042d4ad7ef7b2ed463422d9ba5c

SHA512
d81095e11d64c56eb26519585f14788a577692e222b080f384d39f33b035e30fc080e8d175531aea4a55dea82d954ed4ea190375108ce99accb992fa7b46dd1d

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
b556d9c72de5aaa7c749e9e0d949fb4a

SHA1
7e26ef26b594a7dbd70cdbee2c9a6af927086c47

SHA256
3ee53efb3c1719283f1080475079d4fa7abc9269c58474d4c222a95824c66c48

SHA512
86982c8d09d8f8941e59c3d8b9a821ac33a715360a9d76f37d4fb6f166ef5cdc7bb01a7e868933f8d763919c9d53299f6903e97e30a86b64246bf44d14d5f3cf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
121ad850d10720d42ef56d5b5445f310

SHA1
d7991884f874bab65265ccfa2bef143ef667099a

SHA256
3b1e8794a793e32808ba406cbd080a868f4284f7b302b9432489c75c6592f017

SHA512
1c41aa6fe50146d9ae5e7aef3769c2775b930f78a7387cc5f95bdef306e39ccd3e79d2038857f6ffe280f1f145f9bda74f0ebc25f438742b552434300b6a3cbb

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
17fe1580a372b760351908765324e720

SHA1
8725ab067963e3bd50f6a556a282f0afdbeaecc8

SHA256
4df3b6cfcd137185f06bbcd403be4087a5700066284c94569729f8cdfee7ce68

SHA512
79a66665763c6a78ba5c9e4f717e6bc0f2b7109a99ba5761d8d7dadd6f70d332f98d100eb77943526759242b6650859fbfcdbdc8f1b31db9b066e99c4352b66d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
5fef3554b4334abf9c715bf8421356e8

SHA1
bb31c1ce1d0dfec2682529a628f8a199590b9cfa

SHA256
65bf2be645c60529c1be12453df4ecab74ecf2db56ddd4e0f4c0edb24047bbf2

SHA512
5a5668eec8f0201ae685f9ad4845962df1f08c42ba9444b2b0ca5ebce70a6ff33236635e1fd59d5b25c78dca39defb94ffebc23bb788ef49edff24d47f68c407

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
c463d0f51585dd1783b7c4e25ae8b4c5

SHA1
19fdfa3778d2c1b8eb3b0e10b3bc71209df831bd

SHA256
db548376e3cfeac4d1d990687b9d66fff79b83f03bafe7bb87c787a492e98471

SHA512
bcbb5eed3bc560dc3e6951bd80907c3c862e72d902d61be70e1272d9aa13c08425383c89d4663dce9f3a097c126cd523e420ff09666247784f400a082cca1cef

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
e23468b54c7dd8b21927205f1307c384

SHA1
46b9d8fff2e8e05b78c31c98b949b68d3454cbbe

SHA256
8c6ec208ea995d4a5ff685a51b97ea9e8bd568cd6fb0cbac17bca81f3768c58f

SHA512
264ac95b0cf1c03015828fe878e21e9c7e7baa8380b9a359f962750f7a75f384bbafbddf956efbcd2b5d47f5ef49b161c1a0c03906a2cdbc8d22a4ecddc0d009

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
d6bf354ea456bff2ab2f895107d7e177

SHA1
4ba7f15af30b070728234f6513d36c8deb00428f

SHA256
fb8234fb57f974cf15e763bddb477dfab04dedda87f1e8e779583a0d5cd45192

SHA512
3db9b8b1dfc219c1a603b4f0e3cefa6a2e036349b05eff62bb5c15f4d90d62cba1e231a0c0b3878fdcb7bd1d7b7ebb440c9963f80bb65225501fac0d588a059f

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
066e0abfbeac3a995e9de9edc78d2087

SHA1
e1d09e54d2a8bdfa917e03ca71897722408c3c71

SHA256
c0c6fbb26a89959d6ea3e0328e7fd8835ac216543cd4d5fb09c10fae11a7b9ac

SHA512
d37fc95c8030c4bf0dec3f87bc2de6640a883e2e63f6480b54bea04885275c9ea058feb87aa4357653f56e0a75fafda616513af7dfb8d81c41d8b5a72d473173

Download Submit
memory/764-303-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/764-703-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/764-242-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/836-246-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/836-550-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/880-318-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/880-296-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/936-138-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/936-215-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/936-131-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/936-136-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/940-652-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1028-71-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1028-77-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/1028-72-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/1028-182-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1088-234-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1088-170-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1164-638-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1164-611-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1212-528-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1212-542-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1216-736-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-673-0x0000000003C10000-0x0000000003CCA000-memory.dmp

Filesize
744KB

Download
memory/1308-677-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1372-188-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1372-263-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1388-555-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1388-251-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1428-573-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1428-557-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-91-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1508-94-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1508-85-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1528-588-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1528-277-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1548-166-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1548-173-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1548-482-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1548-478-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1640-228-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1640-483-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1664-715-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-659-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1764-110-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1764-127-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1764-105-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1764-206-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1764-103-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1764-126-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1900-245-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1900-250-0x00000000003B0000-0x0000000000462000-memory.dmp

Filesize
712KB

Download
memory/1900-185-0x00000000003B0000-0x0000000000462000-memory.dmp

Filesize
712KB

Download
memory/1900-179-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1908-124-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1908-115-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1908-121-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1908-210-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2228-264-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2228-582-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2300-761-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-772-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2324-65-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2324-50-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2356-589-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2356-604-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-769-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-758-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2376-551-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2376-556-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2408-495-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2408-491-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2416-725-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2416-714-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2424-58-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2424-79-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2448-218-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2468-740-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2488-151-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2488-45-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2488-39-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2488-32-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2576-142-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2576-28-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2652-123-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2652-14-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2652-15-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2652-22-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2716-295-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2716-211-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2732-143-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2772-13-0x0000000003210000-0x000000000366F000-memory.dmp

Filesize
4.4MB

Download
memory/2772-0-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2772-93-0x0000000003210000-0x000000000366F000-memory.dmp

Filesize
4.4MB

Download
memory/2772-8-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/2772-70-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2772-1-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/2776-476-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2776-221-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2784-503-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2784-231-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2800-310-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2800-473-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2804-750-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2900-504-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2900-531-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2928-217-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2928-164-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2928-146-0x00000000004E0000-0x0000000000546000-memory.dmp

Filesize
408KB

Download
memory/3000-276-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3000-207-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3036-583-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3036-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download