1794ac788590e43af1602d5579c5ac21129889fb76715e9ae3a9ff96b4ea2049

Analysis

max time kernel
135s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

134fd2f2a64507c191f2958fb6262310_NEIKI.exe
Size

1.5MB
MD5

134fd2f2a64507c191f2958fb6262310
SHA1

8b51507a660a3f99fccfc72c27b27f2c3b42b174
SHA256

1794ac788590e43af1602d5579c5ac21129889fb76715e9ae3a9ff96b4ea2049
SHA512

ec16440c7aa1d083f8c15a5a2f21d4247fb54db9482f082d05d67d04337b11dd7c0679639dba3b5a70536c8b585694a90161a3d4d0aef03985f2114d96ab8891
SSDEEP

12288:Q0cmqmFrfBCgiw4bivhqGoj85sVPL5qw+Dd:XXqMrfUgYbkhqfj8uqw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2856	alg.exe
2500	aspnet_state.exe
2488	mscorsvw.exe
2788	mscorsvw.exe
2432	mscorsvw.exe
1228	mscorsvw.exe
1932	dllhost.exe
2972	ehRecvr.exe
2056	ehsched.exe
1844	elevation_service.exe
320	GROOVE.EXE
1212	maintenanceservice.exe
2456	OSE.EXE
1572	OSPPSVC.EXE
2760	mscorsvw.exe
608	mscorsvw.exe
1196	mscorsvw.exe
2224	mscorsvw.exe
2812	mscorsvw.exe
2496	mscorsvw.exe
2372	mscorsvw.exe
1656	mscorsvw.exe
1848	mscorsvw.exe
2924	mscorsvw.exe
620	mscorsvw.exe
2380	mscorsvw.exe
2488	mscorsvw.exe
1112	mscorsvw.exe
2928	mscorsvw.exe
3012	mscorsvw.exe
904	mscorsvw.exe
2032	mscorsvw.exe
1872	mscorsvw.exe
620	mscorsvw.exe
3024	mscorsvw.exe
1468	mscorsvw.exe
2672	mscorsvw.exe
1340	mscorsvw.exe
1792	mscorsvw.exe
620	IEEtwCollector.exe
940	msdtc.exe
1468	msiexec.exe
768	perfhost.exe
1656	locator.exe
2836	snmptrap.exe
2960	vds.exe
1704	vssvc.exe
1212	wbengine.exe
1060	WmiApSrv.exe
1480	wmpnetwk.exe
1752	SearchIndexer.exe
1008	mscorsvw.exe
848	mscorsvw.exe
1072	mscorsvw.exe
2416	mscorsvw.exe
2948	mscorsvw.exe
2476	mscorsvw.exe
2316	mscorsvw.exe
964	mscorsvw.exe
2516	mscorsvw.exe
1092	mscorsvw.exe
3020	mscorsvw.exe
1964	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1468	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
728	Process not Found
2948	mscorsvw.exe
2948	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2516	mscorsvw.exe
2516	mscorsvw.exe
3020	mscorsvw.exe
3020	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
2520	mscorsvw.exe
2520	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
1096	mscorsvw.exe
1096	mscorsvw.exe
588	mscorsvw.exe
588	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
1944	mscorsvw.exe
1944	mscorsvw.exe
1344	mscorsvw.exe
1344	mscorsvw.exe
2396	mscorsvw.exe
2396	mscorsvw.exe
2340	mscorsvw.exe
2340	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
2384	mscorsvw.exe
2384	mscorsvw.exe
672	mscorsvw.exe
672	mscorsvw.exe
1452	mscorsvw.exe
1452	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	134fd2f2a64507c191f2958fb6262310_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	134fd2f2a64507c191f2958fb6262310_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\80a5a2ddae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	134fd2f2a64507c191f2958fb6262310_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP44DD.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7178.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP428C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5763.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP37A4.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	134fd2f2a64507c191f2958fb6262310_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	134fd2f2a64507c191f2958fb6262310_NEIKI.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3BD8.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP53BB.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F0A.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73AA.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1712	ehRec.exe
2500	aspnet_state.exe
2500	aspnet_state.exe
2500	aspnet_state.exe
2500	aspnet_state.exe
2500	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2888	134fd2f2a64507c191f2958fb6262310_NEIKI.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: 33	1188	EhTray.exe
Token: SeIncBasePriorityPrivilege	1188	EhTray.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeDebugPrivilege	1712	ehRec.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: 33	1188	EhTray.exe
Token: SeIncBasePriorityPrivilege	1188	EhTray.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeDebugPrivilege	2856	alg.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2500	aspnet_state.exe
Token: SeRestorePrivilege	1468	msiexec.exe
Token: SeTakeOwnershipPrivilege	1468	msiexec.exe
Token: SeSecurityPrivilege	1468	msiexec.exe
Token: SeBackupPrivilege	1704	vssvc.exe
Token: SeRestorePrivilege	1704	vssvc.exe
Token: SeAuditPrivilege	1704	vssvc.exe
Token: SeBackupPrivilege	1212	wbengine.exe
Token: SeRestorePrivilege	1212	wbengine.exe
Token: SeSecurityPrivilege	1212	wbengine.exe
Token: SeDebugPrivilege	2500	aspnet_state.exe
Token: SeManageVolumePrivilege	1752	SearchIndexer.exe
Token: 33	1752	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1752	SearchIndexer.exe
Token: 33	1480	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1480	wmpnetwk.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe
Token: SeShutdownPrivilege	2432	mscorsvw.exe
Token: SeShutdownPrivilege	1228	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1188	EhTray.exe
1188	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1188	EhTray.exe
1188	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1068	SearchProtocolHost.exe
1068	SearchProtocolHost.exe
1068	SearchProtocolHost.exe
1068	SearchProtocolHost.exe
1068	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe
872	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2760	2432	mscorsvw.exe	44
PID 2432 wrote to memory of 2760	2432	mscorsvw.exe	44
PID 2432 wrote to memory of 2760	2432	mscorsvw.exe	44
PID 2432 wrote to memory of 2760	2432	mscorsvw.exe	44
PID 2432 wrote to memory of 608	2432	mscorsvw.exe	45
PID 2432 wrote to memory of 608	2432	mscorsvw.exe	45
PID 2432 wrote to memory of 608	2432	mscorsvw.exe	45
PID 2432 wrote to memory of 608	2432	mscorsvw.exe	45
PID 2432 wrote to memory of 1196	2432	mscorsvw.exe	46
PID 2432 wrote to memory of 1196	2432	mscorsvw.exe	46
PID 2432 wrote to memory of 1196	2432	mscorsvw.exe	46
PID 2432 wrote to memory of 1196	2432	mscorsvw.exe	46
PID 2432 wrote to memory of 2224	2432	mscorsvw.exe	47
PID 2432 wrote to memory of 2224	2432	mscorsvw.exe	47
PID 2432 wrote to memory of 2224	2432	mscorsvw.exe	47
PID 2432 wrote to memory of 2224	2432	mscorsvw.exe	47
PID 2432 wrote to memory of 2812	2432	mscorsvw.exe	48
PID 2432 wrote to memory of 2812	2432	mscorsvw.exe	48
PID 2432 wrote to memory of 2812	2432	mscorsvw.exe	48
PID 2432 wrote to memory of 2812	2432	mscorsvw.exe	48
PID 2432 wrote to memory of 2496	2432	mscorsvw.exe	49
PID 2432 wrote to memory of 2496	2432	mscorsvw.exe	49
PID 2432 wrote to memory of 2496	2432	mscorsvw.exe	49
PID 2432 wrote to memory of 2496	2432	mscorsvw.exe	49
PID 2432 wrote to memory of 2372	2432	mscorsvw.exe	50
PID 2432 wrote to memory of 2372	2432	mscorsvw.exe	50
PID 2432 wrote to memory of 2372	2432	mscorsvw.exe	50
PID 2432 wrote to memory of 2372	2432	mscorsvw.exe	50
PID 2432 wrote to memory of 1656	2432	mscorsvw.exe	51
PID 2432 wrote to memory of 1656	2432	mscorsvw.exe	51
PID 2432 wrote to memory of 1656	2432	mscorsvw.exe	51
PID 2432 wrote to memory of 1656	2432	mscorsvw.exe	51
PID 2432 wrote to memory of 1848	2432	mscorsvw.exe	52
PID 2432 wrote to memory of 1848	2432	mscorsvw.exe	52
PID 2432 wrote to memory of 1848	2432	mscorsvw.exe	52
PID 2432 wrote to memory of 1848	2432	mscorsvw.exe	52
PID 2432 wrote to memory of 2924	2432	mscorsvw.exe	53
PID 2432 wrote to memory of 2924	2432	mscorsvw.exe	53
PID 2432 wrote to memory of 2924	2432	mscorsvw.exe	53
PID 2432 wrote to memory of 2924	2432	mscorsvw.exe	53
PID 2432 wrote to memory of 620	2432	mscorsvw.exe	65
PID 2432 wrote to memory of 620	2432	mscorsvw.exe	65
PID 2432 wrote to memory of 620	2432	mscorsvw.exe	65
PID 2432 wrote to memory of 620	2432	mscorsvw.exe	65
PID 2432 wrote to memory of 2380	2432	mscorsvw.exe	55
PID 2432 wrote to memory of 2380	2432	mscorsvw.exe	55
PID 2432 wrote to memory of 2380	2432	mscorsvw.exe	55
PID 2432 wrote to memory of 2380	2432	mscorsvw.exe	55
PID 2432 wrote to memory of 2488	2432	mscorsvw.exe	58
PID 2432 wrote to memory of 2488	2432	mscorsvw.exe	58
PID 2432 wrote to memory of 2488	2432	mscorsvw.exe	58
PID 2432 wrote to memory of 2488	2432	mscorsvw.exe	58
PID 2432 wrote to memory of 1112	2432	mscorsvw.exe	59
PID 2432 wrote to memory of 1112	2432	mscorsvw.exe	59
PID 2432 wrote to memory of 1112	2432	mscorsvw.exe	59
PID 2432 wrote to memory of 1112	2432	mscorsvw.exe	59
PID 2432 wrote to memory of 2928	2432	mscorsvw.exe	60
PID 2432 wrote to memory of 2928	2432	mscorsvw.exe	60
PID 2432 wrote to memory of 2928	2432	mscorsvw.exe	60
PID 2432 wrote to memory of 2928	2432	mscorsvw.exe	60
PID 2432 wrote to memory of 3012	2432	mscorsvw.exe	61
PID 2432 wrote to memory of 3012	2432	mscorsvw.exe	61
PID 2432 wrote to memory of 3012	2432	mscorsvw.exe	61
PID 2432 wrote to memory of 3012	2432	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\134fd2f2a64507c191f2958fb6262310_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\134fd2f2a64507c191f2958fb6262310_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2488

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 25c -NGENProcess 258 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 1e0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 1f8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1e0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1f8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 268 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 258 -NGENProcess 250 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 290 -NGENProcess 1e0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 294 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 270 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 274 -NGENProcess 258 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a0 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 270 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 258 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b0 -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 29c -NGENProcess 220 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1f0 -NGENProcess 1f4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1f0 -NGENProcess 244 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 220 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 24c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 224 -NGENProcess 298 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 298 -NGENProcess 260 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 224 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 1d8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2b0 -NGENProcess 264 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 264 -NGENProcess 258 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2ac -NGENProcess 2b0 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 244 -NGENProcess 290 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 290 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 244 -NGENProcess 2b0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 294 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 258 -NGENProcess 2c8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b8 -NGENProcess 258 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b8 -NGENProcess 2cc -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2cc -NGENProcess 2c8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b8 -NGENProcess 2d4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e4 -NGENProcess 2bc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 300 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 308 -NGENProcess 310 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 324 -NGENProcess 318 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 320 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 308 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 310 -NGENProcess 334 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 338 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 30c -NGENProcess 334 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 33c -NGENProcess 310 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 338 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 334 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 338 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 334 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 338 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 334 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 310 -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 34c -NGENProcess 364 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 360 -NGENProcess 370 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 308 -NGENProcess 364 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 374 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 370 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 378 -NGENProcess 37c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 35c -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 364 -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 354 -NGENProcess 370 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 38c -NGENProcess 35c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 354 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 374 -NGENProcess 388 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 39c -NGENProcess 390 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 354 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a4 -NGENProcess 35c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 35c -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3ac -NGENProcess 354 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 354 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 354 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c0 -NGENProcess 39c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 354 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 39c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3bc -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c8 -NGENProcess 3d8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3b0 -NGENProcess 3bc -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3dc -NGENProcess 3d0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3d8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3bc -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3d8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3bc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e8 -NGENProcess 3f8 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3dc -NGENProcess 3bc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3f4 -NGENProcess 3fc -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e4 -NGENProcess 3bc -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3e4 -NGENProcess 3f4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3f8 -NGENProcess 3bc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3e4 -NGENProcess 39c -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 2a4 -NGENProcess 40c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 40c -NGENProcess 3f8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 418 -NGENProcess 39c -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 414 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3f8 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 418 -NGENProcess 428 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3fc -NGENProcess 3f8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2972

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:320

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1212

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:620

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:1580
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
8f757e0767b4054bd5f11db0cf199014

SHA1
bb0f7f267149ce27ed0b397cb3ca1854d29e159e

SHA256
8b2eb35d2cdd2bc4c8caa7cc0c2104bae2ce5d06ea7729fd0e3fffc0352d5725

SHA512
f4d0a8b707f6068a54aae37fe354ba7585b359d73d74678a25fe2f3a78675b12a36d61f628af45155961a5c6055e8cd4a4c69f2af180eebbca7ae48cdb4051e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.1MB

MD5
45cca2e9324e0762fb394a99edb699f4

SHA1
cbb69f4e9e65ec7c7494dbcd834586626b099bd9

SHA256
ee13a4d88b0b2ba48a3c6f34792f08730c51e643701193ab8069203c0ec76f44

SHA512
e3c390513a60a453857554e22447b029e9d4a77a13438a0256c2cc3b013a46e00114170fff3753958c7a7eec6b5838702343418de7196b72069e80ff8ae6e5ec

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
65f5835d8e160ef5298957c5bc68c011

SHA1
66341031445643b868b8f224f8c0c8487529ecc0

SHA256
dd0eae55d7a48c42df979818c6e8c47f18220c1a60b0838f4b2aa524ebedb08f

SHA512
5579921b90d65d159bdb0a9b8bcb871c7787209a1ca175b6588b2187422e914389a15123fe9b29e4698fa1b112579bf4d14ce29dfd9c18b11d734742ba0f1d8f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.8MB

MD5
73732a3dfd0be366c9feb4195496bb29

SHA1
3b32079a4053233185dd278061494a2513139f28

SHA256
1f4213a6c27784d1ed501f1b0370c0cea38e8569733e34f0df1c4449f381e2e9

SHA512
eb25e0a7953011adbcbc54288ff7a0aebdc05237ebde3d58976be9cefa7cfa54249d543b0b3e783a26ecff62a899de5eeb802e1d8092d453352ca8da13f1c452

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.9MB

MD5
a9c62152801c2340d6c2b9326c75ae4d

SHA1
b5b841135fd524a644de85e02c703128ce2b53fa

SHA256
842e208cad1951fd92644e3ebcbb7d69f7c091625ee93645d085b1bbf2d2496a

SHA512
98d51b944b3ce16beeec066970c9f8137a97e43a2ba7c1925460a0ab1051ee8186e0dc265028106e01e1967670a5ac2522b4cff8eac60f30c3f4b5ef45fdf445

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
9d65d0dc48493c3e4e475404b1c12960

SHA1
fbe56a20bde3d2cf85b47543603cee8fbc4771d3

SHA256
57687eb033684ca8cdd9d5c825d297d2e23058a554f6b3ec97ab030e4ef090a3

SHA512
72a194c160fa48ce23a4e7f45086c0fc31a77e9a1641fe199a2824cd4e9a97d412beb57477a8da30bdd78647dfadf83ebfbcbe8a302c8f48a414d832d9182af1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fda0e8ef9bb97c3da9926bef6f8d4bfc

SHA1
d50f4cc7b7717d764fe86790e7959990a3bcaac4

SHA256
f5c28776bb13e64f81b90359c56f50bb58d80b579c4c4cfd485f7048ebc9f621

SHA512
fecac66daccacb4bc27abdbd39abfd9cd3ca5898ba3c8dbc97217187413b0331f6cc86d1880e278c7d09fbb18691bcc02ec01f834fcb546b3844cf57306326a4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
2eab2dd6cca7624b6eac7685c96f9187

SHA1
cc21ca923d9ddd924657aedfd02a7467e7129367

SHA256
1372b6e06be99696647a80b6bda1b13f71dae74de84622e7819146aa0d80954c

SHA512
0f908a4c7aa9afad07d90af3fc9b6dcb7d2d8d96cf3fcd3dca270106e0c9fe3a3f1cf2f2e7bfc1608b8e0323a42947987c64aea799eb285f505f32ae870bba1a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
198b18ed8f15a3e84fc8ed87944982cf

SHA1
07ca347cdd4d8f1409c41cbe846dc8fd3a56cf29

SHA256
a640f8d732e91964a7ce262cbde1bf7c0e5fc8a80ee176ab7f6905e4401c35ba

SHA512
6c81715f735435edcad967c4a13a0583e54f179c19c06a7e7f77e0ee1006a917ad87b973749d952993dcbcb6185af1e6fd85b30d3bbb74c098f72915d012b8f9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
febc67231e51fed19d26e89838c446c9

SHA1
19b34ebc2ecb8c2594bd1b8d013a055779a8be24

SHA256
dfccbf954bbd1eae5a0a8eb3fe27ff911a3e558a7c53c7973525b2275f6d00cc

SHA512
08fe0ec7c124a9915ca548de084735b3cf018bde2dea062732b81607b1c9a4c304d49a8872410c8b834c3c3d3670ded9eae94dc1cf6015a61fd5897659931121

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
d4b9cefd3c42aa98da9d1fe9a98a8d1c

SHA1
f0335304fc5af29fce13557f29f2f0a898a13295

SHA256
80c1cb798bc776fce3b5856eb5bc4e68bd909b6d68adad88456338e547531151

SHA512
b7c454ef40bcc68f16380f546920cc5a236fc433b02c73dbda58cbb3e3079fc9678d282d800d669fe607978d98466725b960af4c3cd78a489be18bde3fc8d14f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
add7a699a0c55ee29eb8c53b17d42ef9

SHA1
7e4215c6019308834e4a80621ca853db523a1315

SHA256
3e67dd9e91e92d522281c2930f060e1d01b07f11946d490c37ac4d4b10ca1ea1

SHA512
51fda2a0e44a0a542f6311356d8ca32fbd9ee270940fc819ce4ca364b02215d6ce13cd8771e2bbba2b5089ff13f0f48f130d5bf865fa2d5a98285d0af8e7cad3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
2ed2f2be49467071e1dec5599d1a93ec

SHA1
7608060da44cf6ca1ab55918dc7397954f5173c3

SHA256
7e18894de30d849a4c2186e4d071f0b9032b1cd1c5e3bcbcf36496cb7c04533b

SHA512
9b13d00524749730b3ed193f30c1f4b7371547a327b73b5fa735b4f448f080b1a33c0aa0669956156cf2c7500e1a08d7684508d48c2c22f660072ff5f8400daf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
854dcba54ef174aebedc913f53751592

SHA1
1af889bec3b442d4a80d4f384f389ec466174277

SHA256
03c55abbf1bb404f8d69c62e9f9f157c72f064f6b8221b00bfbcdb8ab0344f2b

SHA512
7cb0c196e8a3863c4dba77ad109ddf2a3bb98408ca257dbbe4c4665dea6c07b896442c4340c66325a771026d9a834a733d68872a3c9dad437984b3956652deb9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
c690166d46115d3db1014791b470a34b

SHA1
5c5a4b6296a271f0a5f4e94d9289d55c46ebc551

SHA256
edcd848c05fe6e88f5f42ea7c78c6ccf5df838f510a2ed026b9e6cf2da225e6a

SHA512
edb4224eb5776e6f09fff5a8ea17dc974e13d6ab71cab3ba3bf025e2a3124fa7340a7f938e18e0266d37be71d424af51bced93256b1c06ede4be0aae873faf9d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
448KB

MD5
0dd0dfb4627a649f491426c129f12cab

SHA1
9afa8d7af63c38591ecebd09fae8bd366b06be36

SHA256
76bddaa29bcd9cbfb28434c0d58e0e1bb2095d93ec682532eea49095a5a38792

SHA512
bba5ac6ad13ea315cd85f105acf76ddcebcac278f47f4958ab661c6d18badc7d7b9c883f7d3245a4f8c218bf2564388ef80842f077d90427d66961e0255439e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bf9ded7e705e44d0a41fc6c0b7b5e05e

SHA1
d36fe0d728c42cbe14deb4074da773a215ab2a61

SHA256
3d1d0d30d5a35541ec148c06f20f20422ba6f31b90a94861de8c77175a06bc78

SHA512
2131b8f54c3c1aed528ca5654b3d05b74dae4bffbda04a52f22c539dc7b6571f5bdc5935d3b42a49f74b8974722f8ef44323f30242f53eac7fa4d388b4384507

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c69fca6149008678afb69e608ec29b2c

SHA1
b5e10fd6a5eb6d49d90544bb7e55a19108148eec

SHA256
e42fa2a859e7b2d4e1b6aecaffebb850894cccc05e45f55600845a164bc8e7b5

SHA512
501362134e1dfd7e922ebec0519f46e63059fcc4e04d384072f42088e9b445c60b7bad832ff69599589744b8e4b5e8c5ba8d5ea95e1a9cdf2c563bf26e8e8d30

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
ef35eabb4f5068fda82ad0571482fe53

SHA1
e284d029b52192fb86eb655dd8fe75c11b9e2b3c

SHA256
23116f22656a59a3ba1b55e049dfd80f4cec59e21415469e77ab66bc5a4e7f12

SHA512
57f0249fe7e7b42c32b173f90d017322a17523129cd2c127be1649574be1de75119021dbf5966fe6b6d372a45197ed37745baaba5d1e5e8a635fc9cc31acd02d

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
7f43e48a1a59c42c8d528d0b144d52e9

SHA1
465dd9bd7666e1c3e1e3deb59e72bd0b1213e104

SHA256
ef1fe9c34e9827ab7ccc803f7e5bd461dc4bd3489c9861d472b13cdfc4e2bcff

SHA512
545b173667e612e81b089dd986e8c41176d2d47911cfb875ec42b5a8f8b0187d62f607e36156225be986466400ed2d488075614e54a652329acdcf3e7f23a4c3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\005f6f8455d809c39cf765c31f0e887a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
43cf7d3eff4f19201c57bc42ff7ac701

SHA1
1f08068e6106d2de6eb2bee40686e752dad7ae01

SHA256
554e78c5a47a49c4baa6dfe802b70f07277a96223c5180ebf8aa6ea18b7ae765

SHA512
1d9f83f110cad870297d6062129f18a4227fe94928937ed076026d0c41bc10615fdce3e9e731359b47160c8e85674efa8657a4f53a6e08046920608bb91a84c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43a856a5c47032ff8a82bbbc1c9af0fe\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
5b5b8128d806667750c6f58e513d0eb5

SHA1
b8d24989c1e3ff762704f769d3093dbb4b3012c0

SHA256
57d6cb58c10ff9facfdedb9d8bba63c3ee9a7a12b7b5e7b1d03a71fd51e0aeb3

SHA512
0a8bb3d3a2708808a42b5f2da89985949a38a40c6b93e4afc1f79e3017eb1610c64f2ac9f1ff5d8f0f5693ad96d2f6c73e4cf8234c96c3e07289bccdb1e73e03

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4adfc6aa5ade7ed7b3213fabf1da29cd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
0dd74b7ef634a12e0bac990a300f51d6

SHA1
620ca9036615140c08ac0820f18cbd76c5fbba68

SHA256
ac2a356e6010afdee7aa7d576df392747239001a56d05ce229827e17e956bc9c

SHA512
7b635103b002e8775a37a07f25a265c9bf2c32f60da2c614a835bfd64117497e83cb5f7c20080bec9a88f71835a665c501f5f645649eeabd7ad6b9a210fccb4a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a86dd8d07fc52cb617d8d13cc4ee1d7e

SHA1
95e6d36b43fdae942e5f8407f8e7740de9825140

SHA256
922b46f44d0ebf1fdac9f0a34796398af2a43096b1d6e71a372db4ad159da179

SHA512
4f76998b50890be059cc01b5458f9c2383d4652f11ddd6118d77804e09b2081f1a8c2e3191ea8284811143d09f94cd8e50197b03e27a78c74ba7cd944a225d3a

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
afe122313e13e7d12fb34e429a5067a7

SHA1
d127f60e38121b799fe593f346bd42895683ca64

SHA256
0e4ba3dc311fe08eb2f28e69075d8f654e1bfa02f2e56f76c55762295d5e7107

SHA512
54e5b566874bcefb4a557bb9c98284d4c63cbfddcb49a0ca0f0f50925efd6f3900f8dd9f8297dce8433dc143b5d9dfedefebdd6cad59bb0ceda8356e23f60cd1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
12f4f540a55b175be734e12be23328c2

SHA1
b0a27d56f65851b36a2e61b5ee235db0b41a1588

SHA256
4ff901569f60b965a4f2f160acfa2f9049bc61794fa5f586fd51c197b049c0db

SHA512
774104c506d850a37ed2da28dd7d10401447b3c1a76aa96d9c2237f312cc968f96b6692b108d86ba97d0069bde269c440b8a11433b5393c4c05d8a41bdad9cd0

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
44487a3089e17de586192bfce1045cda

SHA1
05e1ce80ae544e0fb064ecffdae11f0f66ddd5d1

SHA256
891dad7b346833c8cb0d133d5614b26e0a7921c92ddbb28f80e0b530d99a997e

SHA512
fe24ef4a89a2353648f66dbe13b4ef5366ae7c56442484a50fc0f2d6b6405d35b4d2f632945c08f2a0727da29082eb5bb43a7ecbf4cfed551ff25c2143d25d88

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
dd2ee00e3cb4eb02a59fcfb0fa6c5fb4

SHA1
3373fdbd9d41ff0dfa2d892a7abe99086a13f6fe

SHA256
b9db5564e7eaa50ecaa1b20e70b0861edd4cebe9b51dea638a8de181353a9102

SHA512
43523cedbc7e116e3449fca290438cf462443baf8f7b93a6f0422e5da65150eeacb26c055d0a7008a1b04836030bb8e9fc19f5766df2226a9fc8021d4238d92f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
726582c7a2056833a8f87e096ddd3819

SHA1
4326c93c74639dcf7fd3fe44ed5beb3975f5ed99

SHA256
294f1c77e34a6deae10fbafbd77fbce9c7cf2c8b220b344be3b5d5775e784149

SHA512
30d106c6ca3a31a4a5eccf555c12c22c98498073e060df1bb074ea90ff2a58a685d424f81566d8607941952e7e8fa0223b136cd283ba5a36ec99454d9314b498

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
73eec878e238b4c51d62922307f1161a

SHA1
9cb85c7566d6763d95b1c7bb4a21ac9265934daa

SHA256
bfaf274bd7334a9c92f42a09556bdab78d0fb328d2faf6ebf70ad06f7c9399de

SHA512
bd3b79c92132e286b4915c3687fff47d391cecd9749214dc4c892cba85a13788ea392056de99d64ebf588d380cf72e9fcc02377857b6df8a652f20b9ab3a0519

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
51b3e67f6c866815b1cdcec96378a322

SHA1
96fe3888c0f31bf18caacf71f8e744dfc64cffc1

SHA256
90130c68c7d997fb1fc1430e023e5fdaf83945f01b97cca9a5250e481c4818a2

SHA512
f87b0ffa6bbcece91a067b99bdf64b527f3392c354a583c0e8b2ed78a2c080341c340da1eb5338dd5090c6cc057069769f0c580ae553c1b3930efee281607002

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4f2f71598fdd0112007d47e536591eac

SHA1
8551aaf28c1faf53ee99800f98860fbf44bd1514

SHA256
f99032897eae0eac30115ee15c7d44c54ca7d9281dbdf23065f66e4c697b54a1

SHA512
776f0867db38ef3476b439fc95b57e3de45bac07a1b10b60b1728af63fd480ad5aa470b670925a7a14132d5221e7907c5393e961d675b5620a167dd5927aad48

Download Submit
memory/320-411-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/320-173-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/608-331-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/608-327-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/620-710-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/620-499-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/620-628-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/620-606-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/620-519-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/904-593-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/904-582-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/940-715-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1112-540-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1112-556-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1196-368-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1196-340-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1212-183-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1212-188-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1228-101-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1228-100-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-300-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-94-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1340-659-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1340-682-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1468-732-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/1468-652-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1572-209-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1572-474-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1656-468-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1656-452-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1792-685-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1792-679-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1844-159-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1844-386-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1848-483-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1848-475-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1872-616-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1932-118-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1932-116-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2032-602-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2056-143-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2056-364-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2056-688-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2224-367-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2224-387-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2372-431-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2372-456-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2380-509-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2380-532-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2432-921-0x0000000001290000-0x0000000001318000-memory.dmp

Filesize
544KB

Download
memory/2432-919-0x0000000001290000-0x000000000137C000-memory.dmp

Filesize
944KB

Download
memory/2432-79-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2432-81-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2432-85-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2432-273-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2432-923-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/2432-922-0x0000000000DE0000-0x0000000000E04000-memory.dmp

Filesize
144KB

Download
memory/2432-920-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/2432-913-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/2432-918-0x0000000001FD0000-0x000000000216E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-917-0x0000000001290000-0x0000000001334000-memory.dmp

Filesize
656KB

Download
memory/2432-914-0x0000000000DE0000-0x0000000000DFE000-memory.dmp

Filesize
120KB

Download
memory/2432-916-0x0000000001290000-0x000000000131C000-memory.dmp

Filesize
560KB

Download
memory/2432-915-0x0000000000DE0000-0x0000000000DFA000-memory.dmp

Filesize
104KB

Download
memory/2456-449-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2456-197-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2488-70-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2488-40-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2488-39-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2488-45-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2488-544-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2488-530-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2496-414-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2496-433-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2500-160-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2500-27-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2500-29-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2500-36-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2672-655-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2672-651-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2760-326-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2760-301-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2788-55-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2788-56-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2788-62-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2788-76-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2812-388-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2812-400-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2856-15-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2856-128-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2856-13-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2856-22-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2888-93-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2888-8-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2888-1-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2888-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2888-149-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2924-507-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2924-488-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2928-570-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2928-559-0x0000000003CE0000-0x0000000003D9A000-memory.dmp

Filesize
744KB

Download
memory/2928-558-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2972-696-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2972-130-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2972-339-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3012-581-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3024-629-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3024-633-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download