d194b4c9ebbfb6e4e600edc88f4e83def64a606c8a0587e2337c9e29f73bc444

Analysis

max time kernel
141s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
Size

1.3MB
MD5

d49d834c2f6be90b953f5ad604969d32
SHA1

dd9678187f2e7af7d492b3e09ccc4ec3a617cf43
SHA256

d194b4c9ebbfb6e4e600edc88f4e83def64a606c8a0587e2337c9e29f73bc444
SHA512

d209c700ac6555538a148b92b37b1906d44482218e7f961db54a75116246a6880129abeeef77988755f34d6c456a94a28a66a029de2045cbb137fe0ca3c17f77
SSDEEP

24576:r2zEYytjjqNSlhvpfQiIhKPtehfQwM9qySkbgedSmaouGSPGM9ZQ8GYelhwOXGEI:rPtjtQiIhUyQj1SkFdSdPGM7nmoOl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2548	alg.exe
2712	aspnet_state.exe
2744	mscorsvw.exe
2416	mscorsvw.exe
2324	elevation_service.exe
1480	GROOVE.EXE
2752	maintenanceservice.exe
1652	OSE.EXE
1260	OSPPSVC.EXE
864	mscorsvw.exe
1992	mscorsvw.exe
2784	mscorsvw.exe
2612	mscorsvw.exe
2444	mscorsvw.exe
1904	mscorsvw.exe
1100	mscorsvw.exe
744	mscorsvw.exe
1900	mscorsvw.exe
1552	mscorsvw.exe
1716	mscorsvw.exe
1960	mscorsvw.exe
1772	mscorsvw.exe
2348	mscorsvw.exe
1292	mscorsvw.exe
1920	mscorsvw.exe
2632	mscorsvw.exe
2748	mscorsvw.exe
2892	mscorsvw.exe
364	mscorsvw.exe
1508	mscorsvw.exe
2976	mscorsvw.exe
2300	mscorsvw.exe
1120	mscorsvw.exe
1556	mscorsvw.exe
2696	mscorsvw.exe
1916	mscorsvw.exe
2224	mscorsvw.exe
2880	mscorsvw.exe
1284	mscorsvw.exe
1304	mscorsvw.exe
1552	mscorsvw.exe
1788	mscorsvw.exe
2156	mscorsvw.exe
1636	mscorsvw.exe
1428	mscorsvw.exe
1568	mscorsvw.exe
1520	mscorsvw.exe
2768	mscorsvw.exe
2388	mscorsvw.exe
2920	mscorsvw.exe
1836	mscorsvw.exe
2240	mscorsvw.exe
620	mscorsvw.exe
1800	mscorsvw.exe
1020	mscorsvw.exe
2804	mscorsvw.exe
2464	mscorsvw.exe
2720	mscorsvw.exe
1292	mscorsvw.exe
560	mscorsvw.exe
2772	mscorsvw.exe
2752	mscorsvw.exe
2536	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
468	Process not Found
1284	mscorsvw.exe
1284	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
2156	mscorsvw.exe
2156	mscorsvw.exe
1428	mscorsvw.exe
1428	mscorsvw.exe
1520	mscorsvw.exe
1520	mscorsvw.exe
2388	mscorsvw.exe
2388	mscorsvw.exe
1836	mscorsvw.exe
1836	mscorsvw.exe
620	mscorsvw.exe
620	mscorsvw.exe
1020	mscorsvw.exe
1020	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
1292	mscorsvw.exe
1292	mscorsvw.exe
2772	mscorsvw.exe
2772	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
1596	mscorsvw.exe
1596	mscorsvw.exe
2056	mscorsvw.exe
2056	mscorsvw.exe
1092	mscorsvw.exe
1092	mscorsvw.exe
1328	mscorsvw.exe
1328	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
1848	mscorsvw.exe
1848	mscorsvw.exe
916	mscorsvw.exe
916	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a55d0fc5ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\CompleteMove.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\CompleteMove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB9E.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E12.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16CB.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8C83C697-5DE4-41F8-B751-E1E34A8D2FC5}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1C28.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP71C6.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	elevation_service.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF7F6.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2020	2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeDebugPrivilege	2548	alg.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeDebugPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2416	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 864	2744	mscorsvw.exe	37
PID 2744 wrote to memory of 864	2744	mscorsvw.exe	37
PID 2744 wrote to memory of 864	2744	mscorsvw.exe	37
PID 2744 wrote to memory of 864	2744	mscorsvw.exe	37
PID 2744 wrote to memory of 1992	2744	mscorsvw.exe	38
PID 2744 wrote to memory of 1992	2744	mscorsvw.exe	38
PID 2744 wrote to memory of 1992	2744	mscorsvw.exe	38
PID 2744 wrote to memory of 1992	2744	mscorsvw.exe	38
PID 2744 wrote to memory of 2784	2744	mscorsvw.exe	39
PID 2744 wrote to memory of 2784	2744	mscorsvw.exe	39
PID 2744 wrote to memory of 2784	2744	mscorsvw.exe	39
PID 2744 wrote to memory of 2784	2744	mscorsvw.exe	39
PID 2744 wrote to memory of 2612	2744	mscorsvw.exe	40
PID 2744 wrote to memory of 2612	2744	mscorsvw.exe	40
PID 2744 wrote to memory of 2612	2744	mscorsvw.exe	40
PID 2744 wrote to memory of 2612	2744	mscorsvw.exe	40
PID 2744 wrote to memory of 2444	2744	mscorsvw.exe	41
PID 2744 wrote to memory of 2444	2744	mscorsvw.exe	41
PID 2744 wrote to memory of 2444	2744	mscorsvw.exe	41
PID 2744 wrote to memory of 2444	2744	mscorsvw.exe	41
PID 2744 wrote to memory of 1904	2744	mscorsvw.exe	42
PID 2744 wrote to memory of 1904	2744	mscorsvw.exe	42
PID 2744 wrote to memory of 1904	2744	mscorsvw.exe	42
PID 2744 wrote to memory of 1904	2744	mscorsvw.exe	42
PID 2744 wrote to memory of 1100	2744	mscorsvw.exe	43
PID 2744 wrote to memory of 1100	2744	mscorsvw.exe	43
PID 2744 wrote to memory of 1100	2744	mscorsvw.exe	43
PID 2744 wrote to memory of 1100	2744	mscorsvw.exe	43
PID 2744 wrote to memory of 744	2744	mscorsvw.exe	44
PID 2744 wrote to memory of 744	2744	mscorsvw.exe	44
PID 2744 wrote to memory of 744	2744	mscorsvw.exe	44
PID 2744 wrote to memory of 744	2744	mscorsvw.exe	44
PID 2744 wrote to memory of 1900	2744	mscorsvw.exe	45
PID 2744 wrote to memory of 1900	2744	mscorsvw.exe	45
PID 2744 wrote to memory of 1900	2744	mscorsvw.exe	45
PID 2744 wrote to memory of 1900	2744	mscorsvw.exe	45
PID 2744 wrote to memory of 1552	2744	mscorsvw.exe	46
PID 2744 wrote to memory of 1552	2744	mscorsvw.exe	46
PID 2744 wrote to memory of 1552	2744	mscorsvw.exe	46
PID 2744 wrote to memory of 1552	2744	mscorsvw.exe	46
PID 2744 wrote to memory of 1716	2744	mscorsvw.exe	47
PID 2744 wrote to memory of 1716	2744	mscorsvw.exe	47
PID 2744 wrote to memory of 1716	2744	mscorsvw.exe	47
PID 2744 wrote to memory of 1716	2744	mscorsvw.exe	47
PID 2744 wrote to memory of 1960	2744	mscorsvw.exe	48
PID 2744 wrote to memory of 1960	2744	mscorsvw.exe	48
PID 2744 wrote to memory of 1960	2744	mscorsvw.exe	48
PID 2744 wrote to memory of 1960	2744	mscorsvw.exe	48
PID 2744 wrote to memory of 1772	2744	mscorsvw.exe	49
PID 2744 wrote to memory of 1772	2744	mscorsvw.exe	49
PID 2744 wrote to memory of 1772	2744	mscorsvw.exe	49
PID 2744 wrote to memory of 1772	2744	mscorsvw.exe	49
PID 2744 wrote to memory of 2348	2744	mscorsvw.exe	50
PID 2744 wrote to memory of 2348	2744	mscorsvw.exe	50
PID 2744 wrote to memory of 2348	2744	mscorsvw.exe	50
PID 2744 wrote to memory of 2348	2744	mscorsvw.exe	50
PID 2744 wrote to memory of 1292	2744	mscorsvw.exe	51
PID 2744 wrote to memory of 1292	2744	mscorsvw.exe	51
PID 2744 wrote to memory of 1292	2744	mscorsvw.exe	51
PID 2744 wrote to memory of 1292	2744	mscorsvw.exe	51
PID 2744 wrote to memory of 1920	2744	mscorsvw.exe	52
PID 2744 wrote to memory of 1920	2744	mscorsvw.exe	52
PID 2744 wrote to memory of 1920	2744	mscorsvw.exe	52
PID 2744 wrote to memory of 1920	2744	mscorsvw.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 238 -NGENProcess 244 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 234 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 268 -NGENProcess 238 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1d8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 254 -NGENProcess 238 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 260 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 28c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 11c -NGENProcess 120 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2c8 -NGENProcess 27c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2cc -NGENProcess 2c8 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2b8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c8 -NGENProcess 2b8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2b4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2b8 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2b8 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f0 -NGENProcess 2b4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 2b4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2b4 -NGENProcess 2b8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 2d0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 300 -NGENProcess 2f0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f0 -NGENProcess 2b4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e0 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 30c -NGENProcess 2d0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 310 -NGENProcess 314 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 30c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 30c -NGENProcess 310 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 308 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 328 -NGENProcess 318 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 318 -NGENProcess 310 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 330 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 308 -NGENProcess 328 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 338 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 310 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 340 -NGENProcess 328 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 328 -NGENProcess 338 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 348 -NGENProcess 330 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 330 -NGENProcess 340 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 330 -NGENProcess 348 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 348 -NGENProcess 328 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 358 -NGENProcess 2e8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 328 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2e8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 2e8 -NGENProcess 35c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 35c -NGENProcess 330 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 370 -NGENProcess 368 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 374 -NGENProcess 370 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 364 -NGENProcess 36c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 378 -NGENProcess 384 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 34c -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 34c -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 36c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 388 -NGENProcess 394 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 370 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 398 -NGENProcess 368 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 394 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 368 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3a4 -NGENProcess 3a0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a8 -NGENProcess 3b4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 398 -NGENProcess 368 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3ac -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 368 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 378 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 378 -NGENProcess 3ac -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3a8 -NGENProcess 3c8 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3a8 -NGENProcess 378 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 388 -NGENProcess 3c8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3c8 -NGENProcess 388 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3dc -NGENProcess 378 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3bc -NGENProcess 378 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 378 -NGENProcess 3c4 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3ac -NGENProcess 3e8 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3f0 -NGENProcess 3dc -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3c4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3e8 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3e8 -NGENProcess 3f0 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f0 -NGENProcess 3f4 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3bc -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 40c -NGENProcess 3f8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 414 -NGENProcess 3bc -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 410 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 3f8 -NGENProcess 420 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3f4 -NGENProcess 410 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 424 -NGENProcess 418 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 420 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 210 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 420 -NGENProcess 410 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 418 -NGENProcess 42c -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 418 -NGENProcess 420 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 3f4 -NGENProcess 41c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent d4 -InterruptEvent 42c -NGENProcess 430 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 3f0 -NGENProcess 41c -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 3f0 -NGENProcess 42c -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 210 -NGENProcess 41c -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 43c -NGENProcess d4 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 3f0 -NGENProcess 444 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 42c -NGENProcess 448 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 420 -NGENProcess 444 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 44c -NGENProcess 3f0 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 448 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 444 -Pipe d4 -Comment "NGen Worker Process"
  2⤵
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 444 -NGENProcess 44c -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 45c -NGENProcess 448 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 448 -NGENProcess 454 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 464 -NGENProcess 44c -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 420 -NGENProcess 460 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 438 -NGENProcess 468 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 470 -NGENProcess 464 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 43c -NGENProcess 468 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 468 -NGENProcess 438 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2324

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2752

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1652

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Drops file in Windows directory
PID:2848

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Drops file in Windows directory
PID:2616

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:1972

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
PID:1848

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:2276

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:2228

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:2124

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:1956

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:676

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1428

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:364

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1672

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1000

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2756
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:2984
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1564
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
d88d3e8d12e42eae06b28192c9a9fff9

SHA1
5f56478197c8cf61d8c5e3d728fb1c4264bf7d22

SHA256
413ca92841b99f48bee053e715f39aaac24c77e1e37170a633bcea732b27f0ce

SHA512
9b3ad7ed19791c67f4fe0e51c38a36bbc5665882df6c4d52bdeb4668c23cefcbb61bbf991351f871015c3d001b78c96473a6f3956a07a697b9b8d0e29aa5bd38

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
9c85b4f2150cd8c75a0ed760aac9090d

SHA1
228e737557a7807deda40338b60df3d794fe1d70

SHA256
d08320bdc417b281565b583cfd0e21addbd7d675c8b930a8da8109edebdc7e2d

SHA512
841d3123f297a6f2225f171abc4dc7eed8e7dd62dfbd5fa3a314f480696fec1423390f4e4b7f48c5204c25a5cb45bac6f30fbb304d74c502e0a316a28cd916fd

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
5afc01769e2e647c6293d25127203c83

SHA1
438e640d8a6b0a5a314597c741a6b8f7f23b387b

SHA256
952ad85411e63ab0e51c8e1db77c5c9185d76fe2ac30096e4fd1cea3ce95bb71

SHA512
8ba63d1b43f08d94a487064f14d5b22cbe010b8894c3a4c32c1e32ba927941340c2edd6e7e888fe6ae65eaedb2868b1ee8afa6ff69b1e21e4fd3015b29c660ba

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
8509718bd1c240b3d60fdbfcab3bf9da

SHA1
7ff0de7c701eced11e0835a2fe18b9ac3efab327

SHA256
3d14d45fc00f06cb54b7d006e1f884581bdcd0f17412d9383a35a81b1502ec65

SHA512
b55ad12e4a83fcf93890e2e78265dbb62850565a975129205eb19635f656ea4821b7c495309b788d12ddc3258295fe84e7c3ef2d68e40c417c78aba3fc9c142b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
a4dfeee9eba6bd3c52dd190b2dd48916

SHA1
77fbb07790a522700508c7e4304c99468d2a389e

SHA256
ae25054a88fe2236440007959d4240d5e43fe1e9263b4745798160ea5dc87305

SHA512
36ea5a47c2e4b1b9a7589688653baefd0ece5e989c93aca0320e579836c8fe7d3c03cdb6d5b13a502b7e036f7883b9f342d451bb881a78d5eeefd81b72db3f68

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a14b21fe63eb2cb1b5f78a4fa57daf55

SHA1
e28ce222ce4c1139ff9c52413cabc30b522e94e2

SHA256
585156f0806939ac70355a5121b17232b363030d037aed66f4784d75887347ce

SHA512
1741778b91bedfb7d376b656fc779404cbc0073e4806e7075aef25c4b7e81aca8957468d7f76c4a72172a14fb83c82db23f0d733fa746cd8e3eca099b97dbe58

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
ddb285c68bcf5d20855ab598d51a8a3d

SHA1
6d4343dafca1c2f0aaacd44623e581b5783b1ab0

SHA256
b99722d51c0bd93ce6ec708fd873f2915693e5056028cd02af94a4df2538c6df

SHA512
8d7ba954e19ecf3b47c7c96a41b6182d1b214de27dc14539fc3fe1b58bb3442da9d21c5585688e55502252d73d9a497e2f7a9b048fe415f5513a2b2df346f011

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c31027f4aebc6e31fd0d4ac968f34bf5

SHA1
5940205f5f62c4ba1c05ba84945155356789216e

SHA256
1ca6431a2b97f87df06156c28058e50f710fb34d6ef5aaf32582a3f7e75393c9

SHA512
1acaf2f29e9d2267d2f2e0f144f11a36dc669ede560c00f520864a250ee99ef6a003db717dd39fcac620cbbc5e56277e77b96bd9b08acc37c7c993648307705a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9723a8305d0faeeae81b23b380c880f8

SHA1
788f2024f6d88ad25c721ae49710b4a837d077ec

SHA256
398989ac99cfab56d41c87dbd010387af3c283fe474cfaa5c5daefa73dbc699a

SHA512
82638eb5c5379a52e2bc598f9c1cdaa92a295b9eb3c12624f51eab3028c3af7884f003c4e9f8ac6f7668a298882657a7755221c775434769251faf0b771a3016

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
45197400fb98915bcb05121a28a9ec40

SHA1
59c146f3b83ec704094764d577d9f22879ecb651

SHA256
4884c924d31fbf9389e6d6bc0ef6182c898ed23cabceebbdb1f0ece61c2076c5

SHA512
157a0f4df73dd67c181a0aa5ef67bcb5a811f072f867167e7f986841e6fe9ada07feb97c2121f858183ca821b9881190694cc6482d23f557d843bfa0f4e2c10f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9fc49c348b0b5d5b679b8cda2a71f73f

SHA1
f7cc57d9ecfbe3a91d141d45f5a0cec8e6f80ca0

SHA256
cd8acf31f464acd48ab5060de9ed1b2fe96aa7710086e084633926612be59387

SHA512
18302d64be8b8f69d5a91c62728f43621692fdb8c1745fa494f8d4bffac359f434dd1e5bfe5814d19c40a43a7e5d6c6936532df6f1a0bc04a6328fdb1014b9aa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
bb273921265a5fab71f562cb697a8acc

SHA1
a5de7ec87717359ef4078139d1bf8ed198ff4420

SHA256
69e2753bcdc53bcd1a9a3a15ab98f5ffe94760db2f8f4ee21d0e30b50df6170f

SHA512
d2a0876e9c0a67fad7a1b354432d1c662f55d75961c1f7294b2091dbad889628b113f040150a5fabc7553be765244fd7dcc65969c083d3c7b810425d2e8bd723

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
d2251255b78d3f38951c7a30154e482d

SHA1
a8f9220d9861ddb07c8960e461027c98e5b1accc

SHA256
0a92bcd03780eb4dca6ba3ae1bbeea66c73ae810e068349fded0b5972e1fadb3

SHA512
99b3e729ff07d94134bf8566aa516db60eaf7cbadb1f36ac214b0b21e64cb8626babbe1f9eecb306ae9951f0aaa118ff4dff11197a6a206dfa4491d05f7a78ab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
4021fa8f9a28cf88652d5724e1df00de

SHA1
84831cde88a917f91a2aa6e744189aab27a85a1c

SHA256
878105dd300087bded6c3e20079038c2c30cfd9d032e1241bd967cedb68f9d7f

SHA512
272fa42a6fda3073e556eace57afa93605461033acefbe4cece2a60c95b4aea4202b5948d4d11eac0e5a9e48541ecfdc1bd4d507e3625507d521f0870ae66feb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
dc68a16b346c7ee72faadf590e5cac21

SHA1
862cad1ed104b34b621a9165ae5f45618bc5fb83

SHA256
28d687785493df4fb9838481997db945af1799b375ad6bddb604e61faf4722ed

SHA512
4a18fd062e40016d56da4ead36f141df091638af3069ccceaed1c705b5412df56bf5cd217cab040ce186c07fc714b0c6ffb69433b53a3d1fad1ecf2123926846

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7da570156d70277cf02d6316e9a1e74f

SHA1
b9195da0648a7a58d3fddeafcaaceef60612cb03

SHA256
e2981dc8451cf5c641eecf2710d3ebbb857abb23b3d381d555b8b951b9090bf1

SHA512
96cf9951de85039e1d9fb3ed6cdb1fb12c982c18bfdebc71bd1f10cac07c4042cfa6648da16263906821b6aa2b722a9ec464a7a26de248f5eb84afe48bf42c90

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
7daeac69a98ed501f641921e7447a717

SHA1
bf31d49d600ca365877c6f9cbf1ec330410bc51e

SHA256
d09d9e5a5eab027bfa09725bf194d935d35c5d1cb9187796ecf6b91d5fbc2b17

SHA512
d3e0c50900a09ad46abd818ad3cf42630e7875d1ed518d768b2b93dcea2fb940c9c135b342fa72e59d9dacf865c5f1e11c7e6ebd5a079e6a385ea454a94f4d9a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
a9fb12c8f61af9a90ff4096dbb497981

SHA1
78424996f3450c77e44f0a2cf2bd8b24d795156e

SHA256
038f40d2ed4380026f664902e2c4a67913dcff10b7f95549cfa33cf9455dba50

SHA512
b2d8e7031f700077ef973d1257895857d54509d055abdcf0e77edac5d185bdbcc5454b33a865a7ccfb9e66af7056d4a0e9aa09ee2208d52134e64b751414a24d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
62471fc04572b69aaa9cdea00050765d

SHA1
eedc3ed4434cb989e9fb7d96d79bc397e93934fe

SHA256
db0201d334497edf27a763bc0d04b75211093683814463914b65658b7aca167d

SHA512
47fbad9926d5d5382b1b1ee4d1712baa9f40cd0b127850e2cd273052d688fcc56b33962f6e04617d6c1804ec79f9aaf8f172729517fcfd31ff7803ba2e8405b3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
67fcbf7ac537a1e10b6879735b8a65cb

SHA1
c6be5994b203fe16783bd4fc5c5137fecd89ed66

SHA256
68014ce35b9e07095236e2bcee66aa8162b616efa7b9490b789121bdc40b0144

SHA512
25549399089c04853448bcd068c2ce6b0ebbdf07f241b7a69b936de05565e229fd8ffd0e1f541d896ca7eb6c8642886d9bacce54b5f655d312c7a0d651132704

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
a07e9ad098202cb56046831491ea9904

SHA1
f98ecdfebe920dbd5a59307d5a18ae52f8b5e0a7

SHA256
64e6df2d826cb576885928704a4c0b4211711a4a23f98f2445a71b39580528c3

SHA512
f20c1697109fbbc6ae023d27c664ea6fddccf28fc7b68f514e795a61b8db8313204287a58552e6f2cddf329d2a2669073f1001879f7292f0df00e8f9e605f88f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
ac676e13ba8ba105d7775df81c3253ee

SHA1
727f020b59414b9aeb19888a77ad2a2033f1322d

SHA256
cac5fd9bbb198b843805d6ad7aacad0fd5347c496552a49f3b2f1c2b86e0455f

SHA512
1d478fbc26dfd6152f260f6ecb0f2d2e8c1cd5a3a21c198dad70009afbb55bd96c5f689b94b8d25ffd38a289a405b309c57d0af0da50555ebb7e7938f7ee7586

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
3334fd3ab7d6cf7577b57be84bd611b8

SHA1
c9c49aa6d777d13c036570afbbc4c2b5af3c4073

SHA256
c16b7185fd44a3357a87da223464f66d8c0bd32f89eca58fd9632da1e2b924e6

SHA512
f319527533d1d03b825e2283e8e3701692c06a1f46474dee2677792671b6b920100074ac92c990e447c52b243a1eb416a4206377f9e10842d612d14ae671f036

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
124dc85a7eee88d3b6059f04f5404650

SHA1
d496ef028821df5867c471ee6e3072fde928e2f2

SHA256
5c9a3617db97d2c6040e50ab886de3c2d3a045d35df34cf45605134b5b3dfb9d

SHA512
2ab0e4263ba3e42a45db6621f376d619570fa5af94588cde50d73b04163d95577a28f355a0829a1ef0933bff4b14c225b7c5bee9dbad042924be2219b2048ea3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
29c8b19434ebdf3aa365d3d09ede9fc1

SHA1
4215317c5b6508efe6963a9e4e3e6d3219adca30

SHA256
9dbd504386460ab9cbac45df8cf4830769f9a3c25470e1794ed64d88edabdf95

SHA512
e8b5be8686cd255bdb05b8cb565224b3ffbf04c8c396f5b61721b2ab712318631e4caaaf1975e88b4e683bc8e044fa80984222bf80e203e2d9c13457cf24d75c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
71bfa739b446888b5f1e787fa7d3e895

SHA1
d9daf0a2d4835b39c3040a7f4adf9292ff9438a6

SHA256
69bfc739dc2b8ae7a9fdbbdbc1df32b5d3e6f29731ae288a148d85f8404f21d3

SHA512
7c26eec71c68b08ec0379395033f8ada6ccae11b8bb900da2e8bab3f4e2d96093ab59363b413b4c3b39f8fe2464bb04b1f0616f09caa7a63fe29d279cb98617e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
25bdaf7f9edc9cabee6f61f03461d69b

SHA1
278905ce4cd90110dd73c5bb5ed86ea3c8a2f391

SHA256
baf7ea683b42d21e1aaea13d7c6340c6df1be49ac36872290fccf9ef948af0ec

SHA512
efb33f3b1bf0d055c48d1a3d8c414606aeddc6cabe7cea55b7fa3b709385c3aebadd53d50b448c7ff5cc350f08d3ed9e2b8b80760055cf7f63c209eb57b119ac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
577KB

MD5
f8b21931b11a570883d0d75e9c58ba3d

SHA1
5ff0cdb4df79bee6fa55d89151dff3bf68357d22

SHA256
84effa44f1830eb48bde6362988e258e400294fe789d2b4d6a02c27943614da2

SHA512
bfcc41c48f7c561ffb00b00b59a9a803e4ff10d34ba72aeb8efce95766fb0e71c942bc832dffbfa19cdffcd8da22b5a86ca7e071eaec53498cca2b3d16f48261

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
577KB

MD5
7fedd2ecac87fea37908c23a12e26e05

SHA1
447c7589a2f0d2a03d00e18e966c7d7b14229ca5

SHA256
9f2763bfdaa272c3c78c69eb520350771aa78f56b2edaff6d66704009feb30e9

SHA512
c0017c1721dda7cb27a7dfca4d1eb8a75933801312ac5302ca880c9ca6f9eae396a5c739d6905aa3979a6407ed2e536aa61fe277b98546267025b9d249fff108

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
639KB

MD5
119f9aeff1b62256af154c988aad47dd

SHA1
1a19c7acad233d7f8aee53fd4c18ba882e55ce58

SHA256
4f0e1993e1e3506308557fa7033149b2394e84303b5b5b0cfd45f9c8474829ea

SHA512
f020782c9feb47e7902ebc457a327f1881e666c9ba2a168b67960fd5f0765e316bfb96f157e24b2df8aaf7bfa2df32e4260fedce531a5f67d48c2ea822323937

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
39e8ae070769fdf92d65cc0ce887f2f4

SHA1
1fb124220d5833e4bf1e429fb208a39f52b95139

SHA256
a8ee7c2cf7ed4372e791d6938dbd4c4c1cc549615d7a978926c98ce543123f7f

SHA512
5b57bcb9634ec0c9414e474f9855acbe807b7494ada1eecbaa472fbf93dd6449b4884ee33e066665768d3b39290c17af85c8c4340516365542c21b07f3f06365

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
de5d5da4160b7dd247bc57740d022adf

SHA1
f3a181ed9c343205b1780644ccdafb5a5069eefe

SHA256
63fdc5ae4e9bdd0251f4d6e8ff3b6235e57a5633a66b13803e869c09b0246a53

SHA512
0376b5f4336c4362d780a9671d753b32a61ab71ac30a1295520bb6d8f9dfa6b61eb7dbc9b53f2f573b252a7817c4636019a0b62a4b491466d6c7eb15ab7de260

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
409ac18ccb6f13f72f158aa9d1168eb5

SHA1
ab804a3cffcf30fa8adf3ddc13858d85fdec0353

SHA256
95ba822bd3f9475755aa8018957ce54627e72eac27d69743856c68a715ec6b2e

SHA512
b5475ba71287f5a7201d730ca82a3ceb562d8f6fb9c0ad7dc1efb9fc2b97da361b08914c089c6b210567c63763d03ccdd457c1e3803f0b30e3a489908f957bf5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
00e2feb129f0d216d301e4c1ba9aaf72

SHA1
af152fe309ff8b9ad9fa9da2d096dbc40b701bc2

SHA256
22d0d7e2afa50b2bcf70cccce18166c677b37196a1888f8e7a283e734ba7bdd0

SHA512
732383eebdfc078a060aab9ec4b6715dfb89ba3129bff8fefb4403ab5757a8b3c796348c53af480b1db785e7776b251d0994c98a05f2beeb3a96fde1a6e7f97b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
9a08488979305609b1320069174791c6

SHA1
7cc216b331a02b883e157dfacb35030c17c48163

SHA256
d691c5a49a9066cf70e1f1e55bff27dc9b90dd8c1d8e4345ef0688af6baa490c

SHA512
43995f3d266479fa5149dbc57ee90d910b4269f31c8b80bfd52e4951601b513b70d16f6e54b78bf7f9c33d02685198385811bbc25eb7fb924c1d9bf1c75fc2b0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2a8391b905d365c78fae7d0c5d1e941a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
623736412dea3bc8511c716a9407c5a5

SHA1
bf3ccad8004986e58b2b2e6d078d6c58d8cb3099

SHA256
722af5b582816506e0b57f75d31447af0a6d9f7e8a467b2435fbf8f26138397f

SHA512
dd453ae8af5430eb7674aa7f4a7417525bbb208480bae2c5dc118cb00aa87afa1b5f78d3666ab740d413ae168585ceaf25ac1d4f79e947b93b5c344ce5f5844d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\80d9fea1960a00580c1f0239ba9516c4\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
7b507586496558fbcd3285a6ae4e912b

SHA1
6060a389637835297b98f6c7dcfa31e313633120

SHA256
b48cd7cc5c7365ea60a4acbba398789c2d805849f133b5f5b9ac9bb03765762c

SHA512
3a4a212fb4362deb03f2af1ac0d5a8ba4d206cac06c718d0c77c367f40894628a566a2c0fd6391ef04eb12d4e92cf6b3c6f0f2744485b28224dd3a27366df324

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a47062a798dbceedef1f91b4367c2249\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
e2004782786183e380bd65675e8a0d11

SHA1
b25e5de15b2e5025a2c87f115977fb8837133ebd

SHA256
8f5e9ff42e86c6025c3e214689949be2f7faf34abb78713371ef06bfde13af20

SHA512
091f017a9aef5c598e0923c1dad292e880cb363f85c05e15a26fc0c17b096818b55d337fdbaefd4ab789a6b5e8d94b42d21fd2ff3abb5b323e75cc84e6e05d29

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
cf4b559cd557859e1db3a1744cc03c69

SHA1
30509e75705b904c601fcb2229dfb098ef7237ee

SHA256
dbe6810aad777691b65363f9deef6aa2b37ae1928d21eb888f57d6c7bd22a8bc

SHA512
a41730f3659a5bd9479bb3c33a17302b992095f2ef92a1467ae006b942149d9519b271cc32f58dffe4b326e1269e03ff16aca14ed9207c39a8bac63e5dbfbf85

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
0a064ff875dfbb70cf3c8d829e946ebf

SHA1
c2568ab32954a4bfdf24dcc228f3240b124b7867

SHA256
3dacff9892145b37826bd180569d07f6d25946b8decdd121be8b05ed7ab08f37

SHA512
1d35e4bcf4714a008e17c0d6cc052c81f118b0c3f3ff2c0af7ff200ec1ec4f6b1f7beed6c58aa676b0d6fa2c47c1abfc856b604807807d3faa6eda2012be0927

Download Submit
memory/364-507-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/364-495-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/744-357-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/744-369-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/864-280-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/864-250-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/864-241-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/864-246-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/1100-360-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1100-339-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1120-567-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1120-546-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1260-372-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1260-104-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1260-98-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1260-106-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1284-659-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1284-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1292-446-0x0000000003C30000-0x0000000003CEA000-memory.dmp

Filesize
744KB

Download
memory/1292-449-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1292-444-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1304-677-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1304-689-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1480-77-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1480-69-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/1480-74-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/1480-334-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1508-519-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-515-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1552-388-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1552-695-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1552-712-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1556-570-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1556-564-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1652-94-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1652-356-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1716-389-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-400-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1772-426-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1772-413-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1788-723-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1788-718-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1900-373-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1900-376-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1904-335-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1904-347-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1916-644-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1920-467-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1960-406-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1960-412-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1992-277-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1992-292-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2020-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2020-6-0x0000000001D80000-0x0000000001DE7000-memory.dmp

Filesize
412KB

Download
memory/2020-1-0x0000000001D80000-0x0000000001DE7000-memory.dmp

Filesize
412KB

Download
memory/2020-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2156-731-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2224-647-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-544-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-538-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2324-58-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2324-313-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2324-64-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2324-65-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2348-445-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2416-50-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2444-324-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2444-316-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2548-28-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2548-19-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2548-20-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2548-97-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2612-319-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2612-306-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2632-471-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2696-617-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2696-634-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2712-240-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2712-33-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2744-606-0x0000000000CD0000-0x0000000000CEA000-memory.dmp

Filesize
104KB

Download
memory/2744-608-0x0000000001ED0000-0x0000000001F74000-memory.dmp

Filesize
656KB

Download
memory/2744-611-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/2744-612-0x0000000001ED0000-0x0000000001F58000-memory.dmp

Filesize
544KB

Download
memory/2744-613-0x0000000000CD0000-0x0000000000CF4000-memory.dmp

Filesize
144KB

Download
memory/2744-614-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/2744-36-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2744-604-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/2744-605-0x0000000000CD0000-0x0000000000CEE000-memory.dmp

Filesize
120KB

Download
memory/2744-610-0x0000000001ED0000-0x0000000001FBC000-memory.dmp

Filesize
944KB

Download
memory/2744-37-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/2744-44-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/2744-615-0x0000000000CD0000-0x0000000000CFA000-memory.dmp

Filesize
168KB

Download
memory/2744-274-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2744-607-0x0000000001ED0000-0x0000000001F5C000-memory.dmp

Filesize
560KB

Download
memory/2744-616-0x0000000001ED0000-0x0000000001F36000-memory.dmp

Filesize
408KB

Download
memory/2744-609-0x0000000001ED0000-0x000000000206E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-483-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2748-477-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2752-85-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2752-92-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2752-93-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2752-80-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2752-87-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2784-289-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2784-305-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-651-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-658-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2892-496-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2892-491-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2976-539-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2976-520-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download