14f6e5def5de8dea8e64c044b8b4664d5b1c1f4c6bc10b8e59cacd6eba9d3fcb

Analysis

max time kernel
140s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 10:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe
Size

1010KB
MD5

ed0c31de79a332702d6d561cd54f0f40
SHA1

cdea375cfa51316312ecda28c11ced2ad6161602
SHA256

14f6e5def5de8dea8e64c044b8b4664d5b1c1f4c6bc10b8e59cacd6eba9d3fcb
SHA512

d753965a08babe52276c361929047d7316b24826ce4afce7a3424294dd8c22762e98ae429b03f81375d27a8f6f29d56ef8abc1a54f8b92461c09253aeac1bd69
SSDEEP

24576:iEpQQJvKPzvYZHTHy7GlDmKBJfJVSVTLgBe:TKPzvoS7GlU/gB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2668	alg.exe
2700	aspnet_state.exe
2428	mscorsvw.exe
528	mscorsvw.exe
1208	mscorsvw.exe
1932	mscorsvw.exe
1912	ehRecvr.exe
1804	ehsched.exe
2792	elevation_service.exe
2996	IEEtwCollector.exe
1020	dllhost.exe
2364	maintenanceservice.exe
2988	OSE.EXE
2912	OSPPSVC.EXE
1944	mscorsvw.exe
704	mscorsvw.exe
2960	mscorsvw.exe
564	mscorsvw.exe
2104	mscorsvw.exe
1264	mscorsvw.exe
2128	mscorsvw.exe
2796	mscorsvw.exe
1996	mscorsvw.exe
620	mscorsvw.exe
268	mscorsvw.exe
2120	mscorsvw.exe
2960	mscorsvw.exe
2024	mscorsvw.exe
1428	mscorsvw.exe
2412	mscorsvw.exe
1812	mscorsvw.exe
2504	mscorsvw.exe
2128	mscorsvw.exe
3036	mscorsvw.exe
2352	mscorsvw.exe
868	mscorsvw.exe
1676	mscorsvw.exe
592	mscorsvw.exe
684	mscorsvw.exe
2188	msdtc.exe
2572	msiexec.exe
1700	perfhost.exe
868	locator.exe
2292	snmptrap.exe
2392	vds.exe
584	vssvc.exe
684	wbengine.exe
3020	WmiApSrv.exe
2612	wmpnetwk.exe
2400	SearchIndexer.exe
2836	mscorsvw.exe
2020	mscorsvw.exe
952	mscorsvw.exe
968	mscorsvw.exe
944	mscorsvw.exe
2440	mscorsvw.exe
2016	mscorsvw.exe
1264	mscorsvw.exe
2288	mscorsvw.exe
2180	mscorsvw.exe
1828	mscorsvw.exe
2440	mscorsvw.exe
2088	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2572	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
764	Process not Found
944	mscorsvw.exe
944	mscorsvw.exe
2016	mscorsvw.exe
2016	mscorsvw.exe
2288	mscorsvw.exe
2288	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe
2128	mscorsvw.exe
2128	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe
1620	mscorsvw.exe
1620	mscorsvw.exe
1640	mscorsvw.exe
1640	mscorsvw.exe
2388	mscorsvw.exe
2388	mscorsvw.exe
2568	mscorsvw.exe
2568	mscorsvw.exe
1200	mscorsvw.exe
1200	mscorsvw.exe
2016	mscorsvw.exe
2016	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
1200	mscorsvw.exe
1200	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe
636	mscorsvw.exe
636	mscorsvw.exe
1920	mscorsvw.exe
1920	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\77b99472ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F5A.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2607.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4366.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F34.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP35B0.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP45A8.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3B2C.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5AAE.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5DF8.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b07f0bdba3aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1124	ehRec.exe
2700	aspnet_state.exe
2700	aspnet_state.exe
2700	aspnet_state.exe
2700	aspnet_state.exe
2700	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2660	ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: 33	2588	EhTray.exe
Token: SeIncBasePriorityPrivilege	2588	EhTray.exe
Token: SeDebugPrivilege	1124	ehRec.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: 33	2588	EhTray.exe
Token: SeIncBasePriorityPrivilege	2588	EhTray.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeDebugPrivilege	2668	alg.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2700	aspnet_state.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeSecurityPrivilege	2572	msiexec.exe
Token: SeBackupPrivilege	584	vssvc.exe
Token: SeRestorePrivilege	584	vssvc.exe
Token: SeAuditPrivilege	584	vssvc.exe
Token: SeBackupPrivilege	684	wbengine.exe
Token: SeRestorePrivilege	684	wbengine.exe
Token: SeSecurityPrivilege	684	wbengine.exe
Token: SeDebugPrivilege	2700	aspnet_state.exe
Token: SeManageVolumePrivilege	2400	SearchIndexer.exe
Token: 33	2400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2400	SearchIndexer.exe
Token: 33	2612	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2612	wmpnetwk.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1208	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2588	EhTray.exe
2588	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2588	EhTray.exe
2588	EhTray.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe
1928	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1944	1208	mscorsvw.exe	44
PID 1208 wrote to memory of 1944	1208	mscorsvw.exe	44
PID 1208 wrote to memory of 1944	1208	mscorsvw.exe	44
PID 1208 wrote to memory of 1944	1208	mscorsvw.exe	44
PID 1208 wrote to memory of 704	1208	mscorsvw.exe	45
PID 1208 wrote to memory of 704	1208	mscorsvw.exe	45
PID 1208 wrote to memory of 704	1208	mscorsvw.exe	45
PID 1208 wrote to memory of 704	1208	mscorsvw.exe	45
PID 1208 wrote to memory of 2960	1208	mscorsvw.exe	46
PID 1208 wrote to memory of 2960	1208	mscorsvw.exe	46
PID 1208 wrote to memory of 2960	1208	mscorsvw.exe	46
PID 1208 wrote to memory of 2960	1208	mscorsvw.exe	46
PID 1208 wrote to memory of 564	1208	mscorsvw.exe	47
PID 1208 wrote to memory of 564	1208	mscorsvw.exe	47
PID 1208 wrote to memory of 564	1208	mscorsvw.exe	47
PID 1208 wrote to memory of 564	1208	mscorsvw.exe	47
PID 1208 wrote to memory of 2104	1208	mscorsvw.exe	48
PID 1208 wrote to memory of 2104	1208	mscorsvw.exe	48
PID 1208 wrote to memory of 2104	1208	mscorsvw.exe	48
PID 1208 wrote to memory of 2104	1208	mscorsvw.exe	48
PID 1208 wrote to memory of 1264	1208	mscorsvw.exe	49
PID 1208 wrote to memory of 1264	1208	mscorsvw.exe	49
PID 1208 wrote to memory of 1264	1208	mscorsvw.exe	49
PID 1208 wrote to memory of 1264	1208	mscorsvw.exe	49
PID 1208 wrote to memory of 2128	1208	mscorsvw.exe	50
PID 1208 wrote to memory of 2128	1208	mscorsvw.exe	50
PID 1208 wrote to memory of 2128	1208	mscorsvw.exe	50
PID 1208 wrote to memory of 2128	1208	mscorsvw.exe	50
PID 1208 wrote to memory of 2796	1208	mscorsvw.exe	51
PID 1208 wrote to memory of 2796	1208	mscorsvw.exe	51
PID 1208 wrote to memory of 2796	1208	mscorsvw.exe	51
PID 1208 wrote to memory of 2796	1208	mscorsvw.exe	51
PID 1208 wrote to memory of 1996	1208	mscorsvw.exe	52
PID 1208 wrote to memory of 1996	1208	mscorsvw.exe	52
PID 1208 wrote to memory of 1996	1208	mscorsvw.exe	52
PID 1208 wrote to memory of 1996	1208	mscorsvw.exe	52
PID 1208 wrote to memory of 620	1208	mscorsvw.exe	53
PID 1208 wrote to memory of 620	1208	mscorsvw.exe	53
PID 1208 wrote to memory of 620	1208	mscorsvw.exe	53
PID 1208 wrote to memory of 620	1208	mscorsvw.exe	53
PID 1208 wrote to memory of 268	1208	mscorsvw.exe	67
PID 1208 wrote to memory of 268	1208	mscorsvw.exe	67
PID 1208 wrote to memory of 268	1208	mscorsvw.exe	67
PID 1208 wrote to memory of 268	1208	mscorsvw.exe	67
PID 1208 wrote to memory of 2120	1208	mscorsvw.exe	55
PID 1208 wrote to memory of 2120	1208	mscorsvw.exe	55
PID 1208 wrote to memory of 2120	1208	mscorsvw.exe	55
PID 1208 wrote to memory of 2120	1208	mscorsvw.exe	55
PID 1208 wrote to memory of 2960	1208	mscorsvw.exe	56
PID 1208 wrote to memory of 2960	1208	mscorsvw.exe	56
PID 1208 wrote to memory of 2960	1208	mscorsvw.exe	56
PID 1208 wrote to memory of 2960	1208	mscorsvw.exe	56
PID 1208 wrote to memory of 2024	1208	mscorsvw.exe	57
PID 1208 wrote to memory of 2024	1208	mscorsvw.exe	57
PID 1208 wrote to memory of 2024	1208	mscorsvw.exe	57
PID 1208 wrote to memory of 2024	1208	mscorsvw.exe	57
PID 1208 wrote to memory of 1428	1208	mscorsvw.exe	58
PID 1208 wrote to memory of 1428	1208	mscorsvw.exe	58
PID 1208 wrote to memory of 1428	1208	mscorsvw.exe	58
PID 1208 wrote to memory of 1428	1208	mscorsvw.exe	58
PID 1208 wrote to memory of 2412	1208	mscorsvw.exe	59
PID 1208 wrote to memory of 2412	1208	mscorsvw.exe	59
PID 1208 wrote to memory of 2412	1208	mscorsvw.exe	59
PID 1208 wrote to memory of 2412	1208	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ed0c31de79a332702d6d561cd54f0f40_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f0 -NGENProcess 250 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 288 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 244 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 260 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1f0 -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1f0 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1ec -NGENProcess 250 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 264 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 298 -NGENProcess 25c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 258 -NGENProcess 28c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1e8 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 28c -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d0 -NGENProcess 224 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 224 -NGENProcess 1e8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 290 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 264 -NGENProcess 1d0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a4 -NGENProcess 1e8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1e8 -NGENProcess 290 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 26c -NGENProcess 1d0 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d0 -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 260 -NGENProcess 290 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 2a4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b0 -NGENProcess 26c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 26c -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2b8 -NGENProcess 260 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 260 -NGENProcess 250 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2c4 -NGENProcess 298 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 298 -NGENProcess 2bc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2cc -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 250 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f4 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2f4 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f4 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 368 -NGENProcess 364 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 354 -NGENProcess 30c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 374 -NGENProcess 360 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 364 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 380 -NGENProcess 30c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 378 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 354 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 388 -NGENProcess 384 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 35c -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 394 -NGENProcess 380 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 384 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 354 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 354 -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3a4 -NGENProcess 384 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 39c -NGENProcess 3a8 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 398 -NGENProcess 384 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1912

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2364

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2988

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:268

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:1120
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
5dfd9732508d45faedb699257652aa4b

SHA1
7c3bf463c3354ffd7f9450d979d3091a75f94886

SHA256
7a500298b86b94eac0df86187b880c52e6892fbe92809bcecb325ada4c6c10e3

SHA512
278ccef606754363c2f662cc68fee5a30511ccf8d8d2d1f42d045a76b39f13fa6b5389399e4a38a052e00fcb7351d0b6d8c1e5fbb66d67a9da905d94c4e5e89b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e00687c2a0768ad85dc3bbc2dc879911

SHA1
1f32a15a86b069f8b8ff7f50177804b4d8bf5c12

SHA256
23ac86128dc2679e1e1e3d7524fea69bbdc4685920201c26841631154f310660

SHA512
36d553c2cb9b11f4efed6cba3fd55a7d5575307c6cda806767f95cc593d07f6000e2e052ccf433eea9c14f59974008a7e6b771ff63d4364d836aa1dadba2c8bb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6d5d9f29ba79fcfdbf654081ef1bbe54

SHA1
16692ca0d2edc658710e4fd0f64beb3faa9b8777

SHA256
41ff7eb6d7b35cebde120cb5da358e2952e6aa11a336efa707d52247253f4045

SHA512
fab97749de94c340bb2fbf3180e99305665b78dab13619872f997208f9e4c7d809a57fa2cb81f2f682360f812d116980e94352c2fe707c1f4a388f3c78e87845

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
632c9510d6c6489778cabdc1a9feb909

SHA1
a98ee62421daa253b49eceffb6164ee88b194993

SHA256
12b0f1f11427a314c7884dc5ec51001bbe9692c994025e4cf39e0ce5e92a790f

SHA512
35b2a368aecbda48a950d3aa2ff6b3ec3a2fbccc9f3a9a7903f07f2de78ae04611540d8e47750392a8a74ea659280c125c71899d6b32dfaad67ac65f19ab6933

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
550c2d887c4dcc94cc2eb811a78a1784

SHA1
54e84ec733d183bcc6f44e17d35533794923f8cb

SHA256
8ef108e1dcfaa9e9d107e2e145fdba094a157120118032024be50e665af76663

SHA512
e761f5b099227fa8e8b78508026dca31c2d74fdf240580de0d2655e34629f047d89bc1da4c6034f70e51049f6ceddfe686ac4fbe7daee914a841304ab02e3a72

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
2f51064e0a6ad2bbc8d09f288a0eb249

SHA1
e3c38485afa865bcfaab3b543ff3fa398aac497f

SHA256
90a4094117d67583b8dd8508f7171032fd1e945f400440ec168e8452bf922360

SHA512
bdc6b5742821e5ae97c182b3b9979e492a474ba59ab7240251561dc2b1a10e604554ec58e7097f5d057d10cb07f81424c923860e1288d6be5601deb0f5b2e670

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
091175c73cd0c4d63f3288afcf5e8172

SHA1
b9a38bb6adcdbf3e86c7897a32e8a66e8845ec4f

SHA256
57ce153fc1b266cd00c740bff545a99d02334414344f51043d8583f03a04d5a9

SHA512
25b4f8f7123a697e924d5f3d80d39929547e61749b5a986c0d37a548ea178765065bcade1597ff3f4b40f29fddd42e1995c9c084d12132d40f2ff87a16152d49

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
2b82c4cb960f2ccb70d9c84905fa9c90

SHA1
2d2cba2d3c89f28dc2a59f982c42143caf1fe398

SHA256
9ff9ae14e05cd408e79d2b963a3d3394d7090aa1df8998a6186063a6d0d50fbb

SHA512
315b4e144a7a5f6d93f8798c6491aef6cc63de9af8be2cb629cce3bbb7850bf0043d3275c5a4ab805be662220df826df988310886b37c0493412ecf34d26d95b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
abcc9ec50ecbdc0d9450713e56b5afc7

SHA1
01484b14b06af2b4fba40f649d96798272acffff

SHA256
d57cb4321f9a22c55597585dc737498419daafbaf0cfaa8e688eb55ffb90c939

SHA512
e7b9c8ab2eb55d18de3c39501beb82b625f14cfcb858e5bb8e7eaca9247922ae297dc5661f2bbe58c6c238651e29bc5e0a06107bbe6b1f4524aa4bc10bf27ffd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
f85e497479c959d579152598015ec3df

SHA1
8c08803bcffbb2c277f6acd00c0a64443bb72ffe

SHA256
42986f56d96a384b818704123002427093258c420d70d15a5f690dae4d02c75d

SHA512
ed0a3d2f96579da2e579d2e45e98ee48050b899ff52ca1ffbbe152c5871b567ea9a0d72ff5fecfdb2469ee6ef751dde9f0d0e9c73e9fc4990365e0fbb4fe246e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
39b3028ae295da392add356abaa35272

SHA1
0c43eafeb624e7ced363b3ac32db9ac864f6cd27

SHA256
19ad192fede0a10ac199b6b8a5800d68d2e0be5ea0912ad27a82691b26be4630

SHA512
fc7350fbca5d556bb42b22ff331c7500eaeb3a620b17415bb9b65e03d9caea9f1005dd8ffef1fae30a10b361a730c4963072d83bf6519a34dbdeedfd79512120

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
9b82c61663944da41084b7e83d1b9c28

SHA1
6de8f51ee381cd06baca5b3957cf20bfb9933c54

SHA256
72b0332da6e7f1f1cdd5e25b2f1332e1ad8851419c4b9460e22a5219bbe1c330

SHA512
0c5b788ecc5f06cb8578d9cff453e3df37374ce43e4765f982f4931ca5ac8b97d0dd873d5858f28e3c3f4da206a3b2840a8892bdaddd3f9628788fe868f90c83

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\383049994aeec16aea30415e749f82a5\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
1e3a18162b2b3262f6613a0f255276e3

SHA1
5e86922c51b33f048001bb936e14acdc4dd402b0

SHA256
b0d5c7c4d5e5d72f2aedd6093c56904e7d72f0b66acac7b272ca9b029a7b5df1

SHA512
8bbef692bc1f585e0bf3af5ca2af46019f3ada2b310c7cae2578cce4c32c494a56b98050f2692d42247f43713c643d1bb37528dde2244cc52b775986dbd8d2c7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3f1babae2e19101dd4fd18aad9ebf37b\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
66a5375506511dca2dfe3aa0bbddb4f4

SHA1
9b00dfe153eeacee8528243d2c8adc8c355ec694

SHA256
46547092b18fb0d2dbceeca28a862930e7c420221aa70aa994161ff67ede048f

SHA512
0545202059a8a89e8a0b1149fa42d025e37c76178267eb0aba9a97d6ec425b7af6e88b38b1187c7cb8cea0fc9eb7d5bed2c8f56a9175b560e08226463cecb949

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\54ba26779e6f2075f91293f4f81c2fff\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ad8c0e759df25e0049d44e5aba4f3321

SHA1
4e1e19b1b5602937057170bf390db0091899af69

SHA256
4c31b7d8501b8914425568b1c3a228aeafa35b6cd6bfcd9cf55dfa511a71ede7

SHA512
f23471c6371f3828002e2ff168013cc01d7744299bd14c7d2117bc39261a9d10cf3bbbe87af08874990a2e20998ec7e3208bf16659ef9e895147e854509f88c4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
33aa8531c9f9988d4184abdba8c7b5df

SHA1
ae326b47d80c8b0f4385354882db797e1f0792f2

SHA256
9b384d425347009895ff4d46bca33e10a7a014b738dbbe329761bd4c8608adb6

SHA512
4f347b1099ef9ee9a81e30c6524fd40114ee76dcd2c8cd47543cf3a12afa4e8352538d755dbfa1dd14933584cdd79b55c5bc9d08b2ea78ead26ab0044bb7e89b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
b66832d390c52dc2a20e50691f96da28

SHA1
f9d4f7b39318f660cc954e05f4a68d371366a898

SHA256
033e1bb12d9f0980c79a855e963adfab14a9683d3e46fedeae877f6f7fff9db0

SHA512
755badb1f994e2cc91b4776e3d4b3dde763b7086c8043ad6f8033d9bfd2bdbcf606a89747b7b4cb4376a76f8db2a554c39c88ce45a2cc11b0a60aa11ef24922b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
f6083b63e26c26e5c087e45daaa91bb7

SHA1
5c8ec9d452356557b5b2adaa9cfb033137dce7c6

SHA256
a82c29ca3ab73c4f8e23820f5f826c55e038e6c0c44d4b63f39d5da4e4ddbe42

SHA512
6ab08c7a9adc57d7123304780f7e450df34a1b1e35a0f2f5147b3d8892c56b53d327c52fe0a5216d1874cb5f78f8010f752a42567698fdca8db8943c05d1a50a

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
2e4447d11668e0e8a23f236424ac4726

SHA1
41f21e39443f38022d2ff7030b27c445250d8c1e

SHA256
12b47785101c4b7fb2a83e80a217a77b6919e675f9e74595adaa624a86d18dbd

SHA512
8121619991f129cc3777ced524d2c607f7489171e90b3ee177e3cd4aeda29899e93a039d88ec61744ec64771da526bd2c895858213c6845d4ea216aba6ddd994

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
2516556cf6ffcc98a81696ca7871ab06

SHA1
7d725624b323c426f80cfecda180f14f00d5b54e

SHA256
16ecb0e70d5e259095c7515b0b15a0b40078964124fd9cecfc09d3eff22b751a

SHA512
d7d298fa19d6975493bac5f5c8d30e738c1f90bec587370d0bb06767be2aace17b331123d42c48d4bf6960249e0d980fa41fa09ac4b41b1753ffdc1064d8ced4

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
d261fc4275c01683eab219df0e5d26b6

SHA1
8ff1aa2489cc50fe2ad9d31a7e5abc5dec35ed78

SHA256
3779dbc9c9d87181d5d89af2473eb17bb468fe73b0ca2023ffd142366b0a6b18

SHA512
ceba5cb0162b5e96c2a6fa8f6e69dea700f1ab2ccc0266c9f6315167ed4bc7b231d2af50100fc93d5eb348e061232fef25bb136989f4b72d949f1fe0bead348f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
02fc17240224fe942a82089f2535d03b

SHA1
746886ad336d44290007d490bcc7fb20a8d7e608

SHA256
8830fe4141e7af4853f172846b078cbe9dac1df7de892ecf12d52b3c3c54ee1f

SHA512
14dbdb713134ba5dd56981716dd24e37ec5615e2d82078fcca78dfd2d142b7a15b742c11e1a52c06619421fda21041f9764928a97ca3a8ea30a6b34520bf5e38

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
799458c5691dcb51977967945893b5ec

SHA1
358070b4a0dcf4af40d1809ef4c98b0a56bd3bf6

SHA256
4285e359fe6d088c9c20cf6a57050f555c0ec166676dcac8cb02483112a44fa5

SHA512
ecb4b8e4f77777cd5d51ae9c0fa3fa2a9e32488649ba8f94ed38db550a0d580de07977c515376506fdfa2f420c3186d8e5f6864ba70434ef996bdb8b6ae9119b

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
633a1776d92cd0454a5efac6f5e8d2b2

SHA1
f2f161fa759e07140870074378ccd1a4be46a251

SHA256
c07510d195ca35d17dd546bc0ce629625889e063230b70e828b17b70faeafce8

SHA512
14e09a40fc95888074453e4d5a30a539712468ee756e9065d5519da00a82b76ca7a2e63b679a18699a83a628ffbf55f32df88752119132c36369f4237f4fb01b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
6a8b20655608ae37cc4b657f8a6bd4c6

SHA1
b033559b8a7c9dc4b60bffd07bc6849acd23e8eb

SHA256
cf3ac0b18bc2832f4c08ca7ff3ce9606a935b28985a8dda3ae4d76a8ef21fcdb

SHA512
43b91d9d7a2c9b32b709cd8a73997481ce73fd2bdb58e112ae147e0f8010ac6ebbde97ef6bda5a06c32939444f0d0ba8cda90c2d8b4c23251afc85ea48d3db49

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
9965c12b7291fee566f4f33f7a419a61

SHA1
d2b023d0422881024f20c875dcdda371e30add25

SHA256
9ea90f0b40e94a521f586297fbaf57c8f2f1b0ee9d49cd8a22e2de608a7976b2

SHA512
7ff65373630cb935c30b5d7f175b656d2e49f6c42f6bba169e95d1ccf0628e15e60a9ba736716d644eeb3ac5d82e063ce38012a792e9fa7aa0a2ac7d91c782a6

Download Submit
memory/268-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/268-508-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/528-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/528-87-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/528-55-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/528-63-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/564-418-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/564-394-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/584-780-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/592-672-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/592-687-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/620-513-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/684-684-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/684-690-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/684-798-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/704-335-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/704-377-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/868-758-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/868-651-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1020-168-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1020-436-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1208-75-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1208-76-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/1208-81-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/1208-303-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1264-437-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1264-464-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1428-573-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1428-562-0x0000000003BF0000-0x0000000003CAA000-memory.dmp

Filesize
744KB

Download
memory/1676-662-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1676-652-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1700-740-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1804-695-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1804-375-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1804-127-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1812-577-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1812-598-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1912-704-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1912-334-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1912-120-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1912-114-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1912-113-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1932-96-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1932-305-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1932-103-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1932-97-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1944-332-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1944-313-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1996-486-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1996-501-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-561-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-540-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2104-415-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2104-439-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2120-517-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2120-538-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2128-607-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2128-469-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2128-623-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2128-466-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2188-712-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2188-810-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2292-766-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2352-635-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2352-640-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-194-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2364-187-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2392-770-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2412-586-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2428-40-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2428-47-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2428-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2428-93-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2504-610-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2504-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2572-725-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2572-821-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2612-819-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2660-74-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/2660-0-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/2660-165-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/2660-1-0x0000000001D90000-0x0000000001DF7000-memory.dmp

Filesize
412KB

Download
memory/2660-8-0x0000000001D90000-0x0000000001DF7000-memory.dmp

Filesize
412KB

Download
memory/2668-14-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2668-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2668-112-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2668-22-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2700-139-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2700-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2700-28-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2700-36-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2792-392-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2792-140-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2796-490-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2796-471-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2912-465-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2912-213-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2960-550-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-397-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-376-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-196-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2988-446-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2996-698-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2996-160-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3020-806-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/3036-620-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3036-628-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download