a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
Size

1.2MB
MD5

aef16b43373c79e0a928e3dad16eb0a6
SHA1

586ea4f676f50bb3504c7936c1c3759588575285
SHA256

a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f
SHA512

43a9a2283f7cb6f7ca1bbb5aae4b1a7bc0af872bd4cf931c82812fda7ba615d6b355f06354cb46399aa68fd4ed51f7fbdad74b42c1691c46869d803721971e53
SSDEEP

12288:LuQUYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:LuQlc+pFB5z+//ufNRoZW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
2040	alg.exe
2688	aspnet_state.exe
2484	mscorsvw.exe
2492	mscorsvw.exe
1476	mscorsvw.exe
1068	mscorsvw.exe
1720	dllhost.exe
740	ehRecvr.exe
2752	ehsched.exe
2940	elevation_service.exe
1532	IEEtwCollector.exe
1056	GROOVE.EXE
2096	maintenanceservice.exe
2224	msdtc.exe
2728	mscorsvw.exe
2960	msiexec.exe
764	OSE.EXE
2064	OSPPSVC.EXE
2028	perfhost.exe
1160	locator.exe
2828	snmptrap.exe
1276	vds.exe
1536	mscorsvw.exe
2220	mscorsvw.exe
2672	vssvc.exe
2700	wbengine.exe
1552	WmiApSrv.exe
1736	wmpnetwk.exe
2228	mscorsvw.exe
2288	mscorsvw.exe
684	SearchIndexer.exe
2368	mscorsvw.exe
2488	mscorsvw.exe
1264	mscorsvw.exe
1220	mscorsvw.exe
1092	mscorsvw.exe
1376	mscorsvw.exe
2540	mscorsvw.exe
616	mscorsvw.exe
2284	mscorsvw.exe
2696	mscorsvw.exe
1376	mscorsvw.exe
2540	mscorsvw.exe
2264	mscorsvw.exe
1908	mscorsvw.exe
1004	mscorsvw.exe
1520	mscorsvw.exe
1092	mscorsvw.exe
1876	mscorsvw.exe
1488	mscorsvw.exe
2836	mscorsvw.exe
2588	mscorsvw.exe
1964	mscorsvw.exe
2300	mscorsvw.exe
1572	mscorsvw.exe
2352	mscorsvw.exe
1900	mscorsvw.exe
1352	mscorsvw.exe
2476	mscorsvw.exe
2316	mscorsvw.exe
1660	mscorsvw.exe
2108	mscorsvw.exe
1640	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2960	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
748	Process not Found
2352	mscorsvw.exe
2352	mscorsvw.exe
1352	mscorsvw.exe
1352	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
2516	mscorsvw.exe
2516	mscorsvw.exe
928	mscorsvw.exe
928	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe
1640	mscorsvw.exe
1640	mscorsvw.exe
2228	mscorsvw.exe
2228	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
1868	mscorsvw.exe
1868	mscorsvw.exe
1752	mscorsvw.exe
1752	mscorsvw.exe
1544	mscorsvw.exe
1544	mscorsvw.exe
1532	mscorsvw.exe
1532	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\System32\alg.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fca282d88ab55808.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\system32\locator.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehRecvr.exe	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5513.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5A21.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A62.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP52E1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C2D.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5CC0.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP510D.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP70DC.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{45B8732D-64E6-4126-9E85-4E9B6F50CEC0}.crmlog	dllhost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050373ef7f7c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
324	ehRec.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: 33	280	EhTray.exe
Token: SeIncBasePriorityPrivilege	280	EhTray.exe
Token: SeDebugPrivilege	324	ehRec.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: 33	280	EhTray.exe
Token: SeIncBasePriorityPrivilege	280	EhTray.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeBackupPrivilege	2700	wbengine.exe
Token: SeRestorePrivilege	2700	wbengine.exe
Token: SeSecurityPrivilege	2700	wbengine.exe
Token: SeManageVolumePrivilege	684	SearchIndexer.exe
Token: 33	684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	684	SearchIndexer.exe
Token: 33	1736	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1736	wmpnetwk.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeDebugPrivilege	1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
Token: SeDebugPrivilege	1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
Token: SeDebugPrivilege	1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
Token: SeDebugPrivilege	1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
Token: SeDebugPrivilege	1560	a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeDebugPrivilege	2040	alg.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe
Token: SeShutdownPrivilege	1068	mscorsvw.exe
Token: SeShutdownPrivilege	1476	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
280	EhTray.exe
280	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
280	EhTray.exe
280	EhTray.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1612	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2728	1476	mscorsvw.exe	45
PID 1476 wrote to memory of 2728	1476	mscorsvw.exe	45
PID 1476 wrote to memory of 2728	1476	mscorsvw.exe	45
PID 1476 wrote to memory of 2728	1476	mscorsvw.exe	45
PID 1476 wrote to memory of 1536	1476	mscorsvw.exe	52
PID 1476 wrote to memory of 1536	1476	mscorsvw.exe	52
PID 1476 wrote to memory of 1536	1476	mscorsvw.exe	52
PID 1476 wrote to memory of 1536	1476	mscorsvw.exe	52
PID 1476 wrote to memory of 2220	1476	mscorsvw.exe	53
PID 1476 wrote to memory of 2220	1476	mscorsvw.exe	53
PID 1476 wrote to memory of 2220	1476	mscorsvw.exe	53
PID 1476 wrote to memory of 2220	1476	mscorsvw.exe	53
PID 1476 wrote to memory of 2228	1476	mscorsvw.exe	59
PID 1476 wrote to memory of 2228	1476	mscorsvw.exe	59
PID 1476 wrote to memory of 2228	1476	mscorsvw.exe	59
PID 1476 wrote to memory of 2228	1476	mscorsvw.exe	59
PID 1476 wrote to memory of 2288	1476	mscorsvw.exe	60
PID 1476 wrote to memory of 2288	1476	mscorsvw.exe	60
PID 1476 wrote to memory of 2288	1476	mscorsvw.exe	60
PID 1476 wrote to memory of 2288	1476	mscorsvw.exe	60
PID 1476 wrote to memory of 2368	1476	mscorsvw.exe	63
PID 1476 wrote to memory of 2368	1476	mscorsvw.exe	63
PID 1476 wrote to memory of 2368	1476	mscorsvw.exe	63
PID 1476 wrote to memory of 2368	1476	mscorsvw.exe	63
PID 684 wrote to memory of 1632	684	SearchIndexer.exe	64
PID 684 wrote to memory of 1632	684	SearchIndexer.exe	64
PID 684 wrote to memory of 1632	684	SearchIndexer.exe	64
PID 684 wrote to memory of 2208	684	SearchIndexer.exe	65
PID 684 wrote to memory of 2208	684	SearchIndexer.exe	65
PID 684 wrote to memory of 2208	684	SearchIndexer.exe	65
PID 1476 wrote to memory of 2488	1476	mscorsvw.exe	66
PID 1476 wrote to memory of 2488	1476	mscorsvw.exe	66
PID 1476 wrote to memory of 2488	1476	mscorsvw.exe	66
PID 1476 wrote to memory of 2488	1476	mscorsvw.exe	66
PID 1476 wrote to memory of 1264	1476	mscorsvw.exe	67
PID 1476 wrote to memory of 1264	1476	mscorsvw.exe	67
PID 1476 wrote to memory of 1264	1476	mscorsvw.exe	67
PID 1476 wrote to memory of 1264	1476	mscorsvw.exe	67
PID 1476 wrote to memory of 1220	1476	mscorsvw.exe	68
PID 1476 wrote to memory of 1220	1476	mscorsvw.exe	68
PID 1476 wrote to memory of 1220	1476	mscorsvw.exe	68
PID 1476 wrote to memory of 1220	1476	mscorsvw.exe	68
PID 684 wrote to memory of 1612	684	SearchIndexer.exe	69
PID 684 wrote to memory of 1612	684	SearchIndexer.exe	69
PID 684 wrote to memory of 1612	684	SearchIndexer.exe	69
PID 1476 wrote to memory of 1092	1476	mscorsvw.exe	82
PID 1476 wrote to memory of 1092	1476	mscorsvw.exe	82
PID 1476 wrote to memory of 1092	1476	mscorsvw.exe	82
PID 1476 wrote to memory of 1092	1476	mscorsvw.exe	82
PID 1476 wrote to memory of 1376	1476	mscorsvw.exe	76
PID 1476 wrote to memory of 1376	1476	mscorsvw.exe	76
PID 1476 wrote to memory of 1376	1476	mscorsvw.exe	76
PID 1476 wrote to memory of 1376	1476	mscorsvw.exe	76
PID 1476 wrote to memory of 2540	1476	mscorsvw.exe	77
PID 1476 wrote to memory of 2540	1476	mscorsvw.exe	77
PID 1476 wrote to memory of 2540	1476	mscorsvw.exe	77
PID 1476 wrote to memory of 2540	1476	mscorsvw.exe	77
PID 1476 wrote to memory of 616	1476	mscorsvw.exe	73
PID 1476 wrote to memory of 616	1476	mscorsvw.exe	73
PID 1476 wrote to memory of 616	1476	mscorsvw.exe	73
PID 1476 wrote to memory of 616	1476	mscorsvw.exe	73
PID 1476 wrote to memory of 2284	1476	mscorsvw.exe	74
PID 1476 wrote to memory of 2284	1476	mscorsvw.exe	74
PID 1476 wrote to memory of 2284	1476	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe
"C:\Users\Admin\AppData\Local\Temp\a56d8fa0097c52a73fc2b712b57de18846a90a23ecc0a338c273bbef9508381f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2484

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 274 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 25c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 23c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 290 -NGENProcess 25c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 274 -NGENProcess 290 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1f0 -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 23c -NGENProcess 29c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 288 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e8 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 21c -NGENProcess 29c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1c4 -NGENProcess 288 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 29c -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b0 -NGENProcess 1d0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d0 -NGENProcess 1f8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 290 -NGENProcess 288 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 1e8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 1f8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1f8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 294 -NGENProcess 1e8 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1e8 -NGENProcess 2a8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 26c -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 290 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b4 -NGENProcess 2a8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2bc -NGENProcess 294 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 294 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c4 -NGENProcess 26c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 26c -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d8 -NGENProcess 2bc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2b0 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b0 -NGENProcess 2d8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2dc -NGENProcess 2f8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 26c -NGENProcess 300 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 308 -NGENProcess 2e4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 308 -NGENProcess 26c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f4 -NGENProcess 2e4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e4 -NGENProcess 30c -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 30c -NGENProcess 2ec -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 31c -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 328 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 330 -NGENProcess 320 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 334 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 328 -NGENProcess 320 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 338 -NGENProcess 330 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 33c -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2ec -NGENProcess 330 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 344 -NGENProcess 328 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 30c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 328 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 328 -NGENProcess 344 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 33c -NGENProcess 354 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 350 -NGENProcess 360 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 320 -NGENProcess 354 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 35c -NGENProcess 368 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 330 -NGENProcess 354 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 36c -NGENProcess 320 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 354 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 320 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 354 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 354 -NGENProcess 380 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 380 -NGENProcess 354 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 320 -NGENProcess 394 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 39c -NGENProcess 38c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 394 -NGENProcess 39c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3ac -NGENProcess 354 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 354 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 39c -NGENProcess 3ac -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3bc -NGENProcess 3a4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b8 -NGENProcess 39c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c8 -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1720

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1532

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2096

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:764

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
a7286d0d68d9604dfc03407d58878aa6

SHA1
e569543a8aa0e3f914517aa9c6f6d009cf6d99b0

SHA256
4bb92d82ad9bda494c292e3d22735322b17502ad1f1b3d9596477d0faf62b53d

SHA512
2e1b8e23974ac5940412a14b834204d429a11bbf22d7bf5b0cd6e458d0099c3a050b289437a6b92eda67bf1339214341d6e7f05a11843c2f125f5637eb87a1b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a81ae46a2396c3c5366590eced9c0142

SHA1
edb337c586609e56d96a00259af8966be36a0aad

SHA256
1afe5be4c3f7a6796de0832ab82d6a45f2af7f5228a72053b0f5004330992a98

SHA512
c95098303ece7a8534fb0d927f6db4b0e9e806867bf2c939464fa3cb9609352db6ef7e49216ff4afd08aee6860cd2423bc8ba3f31d513763440e433e8860108e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7b123ef1ad7bb0daa6e1c195e33b5328

SHA1
663c79032061d161ce7c5ad775de796ef9f77c83

SHA256
ce41169d9160fad71f1cd5f8bb1447049c40cb2e876aaf76591f0ce8f9b3ed35

SHA512
ce7727f59b6b20534fb51f1000eda6aa1b01f8626670c43f1baecf09f1a793f13201b8d1a25150921bebc55d574f3f5913e47aaef462693ca52458517a2bc06c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
6a570919d24c16392ca0c6aa21eac60e

SHA1
4e017d03bce5ba5fd8d976392dbd3ea7a45d4b35

SHA256
96f1669e12134adc86da5f9e9ebeabe13a68fcd2c12f309d4f8fcee32d2d1f80

SHA512
51f9d256a1b43b4b10bc9547b2d8ffb5a0a55fe6ae2bff0d6fca789e0b67eef362ea3edd5f7535925b26b268eb4b2a116be46db59748a26896d334564a55af7d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4a1e9c5159ba4fcbfb6cb4900384dd0f

SHA1
3090330ba3b39c24c61cdc9c178b1322b78c17b5

SHA256
8dd8f2f43af4f71deb2735ebccdcb5c0746d9a0dceac35147e2b88f93f253a82

SHA512
c61e8461718bed4a37726d5454a3c05f29a9da05bf3a16855b06a7e367bbe9780c4c6381c85ed6a0e7f7785c89eadcbe059cb2e03ed3b10f70e88d04b7a3fa29

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6055cf892a89d7a80ac91f0125a0a6fa

SHA1
5af1dedba22b09023d03de76835bc4768bc83c6c

SHA256
c7ce31c965c402bd66d9dc2e42f0bcc29779308c94a2d0885da493349d464b99

SHA512
cc37c0078e792b93ac75d4dc4469dab3cfde4dfe9c64af8a4c0284b183f9ea9949baf11b3cef646e778af91ea9b7f4fe4d82a531098cac595ffbe335a841ed6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
7fa3daca96ff7de3cbe42b8652a3329c

SHA1
3ef81d0b9a3654f5890d4725d49327bd94751fe9

SHA256
75b3286db2fc8df577d7eb798f9083f1bac3460a1776e9fdab7360965f3fbd9e

SHA512
1f71206ac4164fe1ef07ba839260c2eff02b547b5eaceba389e172d1c94f7eab3ab2021bdafc3bc96af73793f43b430c3af2fe04ae96da2d6fd082aeb777f358

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
7d8fa200f1aec959cb157b25bca568f9

SHA1
4657b551c1fe74b8b1cfdf0dcd1b4902b58cbd93

SHA256
949964ec854563b881c2a0f3acfbf3c0fafe8aff136f1b972add5dcf1fcff1b8

SHA512
5a9fbb6decfd5e2840dc2e59f50f4159731da6b4a0deef0dbd7a0209c9f22f0973c00538701656459c8e3c058c9ba99795a711b67863b8ba44d60b8df03b5fb4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
0741ab7e2efa30fe90bb3dd9ce1843f3

SHA1
910757a4ba95cc95efa5fbf79d8780d78de23ce7

SHA256
398c3dfe18d42f4ba40e0149bae55661d4c91bfd53b15c002f15759a89801f1d

SHA512
c79f64315285783fbd9a91227b8d6ee1c092edd19bfecb83877287960ca5f371d0ddcea11922ccf1c6dfa68ec4d9352933d5326c7ec22621dacc8c63f8c766ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4874df152ead5823c5bc590055f26119

SHA1
a56e23f67b62cb2277ae5b56c141b24679e7d8bb

SHA256
609f2f34b06a66a45eed265908b266c486924b7bb2d5851c9f3c1f2d84d06df4

SHA512
bc371a26fd3b58cdf34fb784ff2c3db8e8996dbc5f726494a71f100eb17fbbc83f7f83c740f44b45ee8ddd4490e7658ebf3d97f6878f66c82c3598cfa30f3d86

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
df88858d6db1f4932dcfda510268acad

SHA1
c33677fb499fc6f2c7ee8ea7a9709cba8b463733

SHA256
09359664beb302c9c1d88bc4b84d34768c2853a56685bbb6abb98487b18df6b2

SHA512
9082234f4cbecbf2e5a86efe6acac4ae21087128375b6176c77b3bc2ba79115bb1c7fd81754adcfdc5a7ba46f383c854c5263eabb93a3c9daa5e6c90112b4cc0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
1f7debdf0c69e1e5d51959b21e6153f3

SHA1
032a6e8f4aa534bab1ba47b800924e3a6539fcf9

SHA256
264183f661fd8a26276387916ab05969dd4333ba1a0311d43a00136997dcf9cf

SHA512
903b07a8d60472d4d58660020fd76ac28f1e12e473ec60221a27ffac02893e3274083a390a9b533d95a18cc60e3cc529ecce5f218e021554127720bce8bb23f3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f15d5345b93dd0f8747ef93f28e709eb

SHA1
311a1e5e80c9856109748d1be457b2a537e9969d

SHA256
96a161ff4338fd8232c8c5c61ef11eb95fc0b051604a6ed3fcdaf9cd22ec623f

SHA512
f0f26cb51aa1d46b06bf767115974d335294f46502e8029fb44613205733b01490c970f18bc8a21f32bef1cb808a6f21d1c4e879f15b1cc4eda9184b8e85aefd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2265d6952508329f8866ccc7d2db0ab2

SHA1
fb78d879fea76e31468d94c5045c625e424bad9a

SHA256
87843f1f9e45c155dc48930621443c55871e3673f19312876a49ab1c822ef02a

SHA512
cf96c42e1a145adc02cb82ead5a20d9afbbe7460969f689554c1c822530075110bf400d630dea35d6616e7766144122123bf561600cfcc6463de4b1e6c6793ce

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
0acc665c1397c1b2be5079b767daab0a

SHA1
df14331230877ff11c150fa3ed05f1d6c2dc7d87

SHA256
964c937658ca977daa806151c2986022483aa9c93e71a149554e3730569197ab

SHA512
775139b18fbeb788558cd3827dd93ee740bf464dd433e4494a3944cfd055ecdef92cd106c565c044996d4c800af36e9a39ed51cc5cf0a227b2514ad1eb69cfa9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
37ec536e4a2160a1b83434113b15cc85

SHA1
24476e7e92aedb679c9f34cd7460a44acf9fbb7f

SHA256
de6f590c478f16c2425aad2c49d1ea58592d945265ddff9341df129fc47aa291

SHA512
179b164e45776ebe3695d0cff6cacef7e883efc54f00a9644cbc36801cac425c3df00d99d576f6c20f8b1bf15c5a94bc3a4dcd9be94b1f12b34139a6e11ef2b0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
09619e4b9ede9cf990abc6cc71c50fcc

SHA1
a8cf01d9ddebf98e100c5bcf89636b076f81bbc0

SHA256
660b3e203f3dfa21da80912d33c2dcb548a09d9183c3e094f763339481b90ec7

SHA512
95ef5948f6dab29e32d4b9e86e25d379772805b1466026cbb22062c295c1e736a29435e6102ae2d21de1e2b5af581b3af5553af77fc85a8895b3fb80c3e90a7d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4f67450a20450c71808acaab2fc0dda1

SHA1
7cb05430b07d7cb66ef722bc931096cc5d2577ca

SHA256
37fc14ba48422a475b146b3a9189c9d0752d6c31034939143477368cf8ff6769

SHA512
b75426fb68b714806c80f7b15e01cac12b06b63604b628c80e1d26b3c0a4b8cdddfe619ed2ea6c540527182e4b51551c53bb522c9befafa69bebf8b5de7c611e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\291191002a6df172a00de56cc24638d4\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
c8e14733e6f8256cc1230dadc36fa5d2

SHA1
b76774d3f4a3b75c862b8ff0aaed72405c892484

SHA256
2a19cd24d4a35498a6379a439749eec6d28e83524991e24bf46ca2b70bdc8fb2

SHA512
b35c3f2022208c58ae64344523a2f19c65bfd17dee12132f9934f1343df6737ce5cd48eb18be2d8cb4af5dbd1f0936f01406ccee49b2b8e11b46d8431aecd7f3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4099ddf4991a876506267bdf44fb1613\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
b8c32c938a8dd190cfb3c96d274f7450

SHA1
e05fa6b71533e8d558a48908b3415a616d5ff011

SHA256
8b32dfb6eacc14eb685aeb0fe3bfb64e7a4f25c8626cfc3f943d83584d1025e2

SHA512
d61f0dfb96b4d884757739adf87c6a7f4bc9d0172f49a78e4a99e9b8db97682926070264b8bde680aa0522808191c2f1761828cbc0f8bc53284d40c28f4b1cf2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b879191e13243643d0c6c64f070dd3e4\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
2e477951f6e25df6d349b7a1f8b3cada

SHA1
274446a973d20a7cb86a52192f4ba518bab23c37

SHA256
f4fdf8ff8d662155191b74c52b7b5253a0f79c6b059be26e2150695fd132f14e

SHA512
07304285b7f2c2ef362b6b6fa48e5998a9cd20a8a758f18cf04d0d57f01b4bcd0bf137162172d6d590defaaa2238898b86fe4ac0f6893840c72e6c991846b33d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d36d5faf337c14ca97417ad2d1b160d9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
93d0775e417ce3677d7f01cee57f5140

SHA1
6c178349e4b6d3026732ed5186a1fe0860bc1e9b

SHA256
aca40c4be1ac4db099f03389d34da9764f226ecbfab53dbf15ca43f04ad93bc5

SHA512
267e573ebb93e1e2f0dae8777525e2975a259cc3f013e3e3815ebeaf688354401fbdc03775b12c0a7348595aa60d3ec3b9147079ebd6f383b832f2f66857e266

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e060b61c9e0c62c77349a47525362def

SHA1
a6c259d6b763443677a8c6204148a38a00579d32

SHA256
416e4ede9a7ac361781dc2f3cb37c537f859fc76fcb2793700acc30ef96d88a5

SHA512
ae16825cce51fc2e2bcde134c4ec67bce0b7d65b2a0779da8d99204be197beedd472df1c467f89e063ed805738b4c1ea4e005f48c90e4be81f6afdeb56c76a57

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
501e9b75659ef39bb73736387fb94e08

SHA1
24c41585f5e975486587b5c3e9b360a27487feff

SHA256
7cca3b7a17139cbbc8fd388ebc16fdb9a7c9d774f63b7e6e9d09094cabad6792

SHA512
3a60f4b9d0e592a2ceb6675328368643b201b11a7b472242a27673ebf4595b12abc7051613cadc07219f8fe2e3133c89b773c63431ec86829eee3193a04803ce

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
4a3dff621f711d485781bc3799e9d4fa

SHA1
e187f9c8a1af4b83944a3cb51b5d3d78fc86b44a

SHA256
f1d9a77aef9068920fc864ae3ec9ff54d65920d775cafa22959ddacbd879c05b

SHA512
2716785b6c6ef1530f1a95022f527f529a2dcbd4e0af2e8347e48d6a2d002e93aa0d532edb4c5c73b621a2702fe0635a9e47c2b401b51c058780842ddf2fb891

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
20b09452d972074d6380a6092162255b

SHA1
ed544993e871403e0da9ee10667e879d798f512a

SHA256
1af0affe64a75f959672e2d1e525bc0c63f86b7cbd2b08473becbea8192fb3f5

SHA512
37146f6f07dfc107a63278d890395a9152913d2082f5839aa9f2bd7ffd8c845c4b8fae36b36633031ceb44663d9a19311169af326846f59dd1169a6d3b8a5e88

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
d8328b6d911081704c3bc5e92f5a388a

SHA1
8f0e6764b7d27c2fa16c9aa6d223f6cd34b61aae

SHA256
270ed210ad2d9803f82d6db746d06e9890db19c2c1df53608a36ece87d7c1457

SHA512
e2714ec3f90346010693843c3d6c8bdf218d0346ea64320cc0cfd9d4374c79076e0633eb98d630f6c01edb1943c4ba4bfbd219c266cc711ed59cd6ef3deac652

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fba1cfe0e23b7e3f71e21982cb9b73fd

SHA1
b380ef7e45093067f44fa5ed130c49b2b5e8184b

SHA256
7fd5cc32cd57d061d630d2ab8c3d008baf7a0ed0f2c55f71e26d3d7f8caf1343

SHA512
33c9b9cef2c5b946303cb62825ae979a0ee06bf36463343461d19dd793a644442c9b99c69fdc01a82b766ced214dab8cd9b392a3eca2de6b604c7adccfacf7ce

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
407aba50ed3c9ac8a133c3feab7e09ff

SHA1
ab41361bd961d9ed4379fcd690ad1c4ab022de0f

SHA256
6bfeaf084617c14aa9d3e27f0e651d67e70496a6abb4ffcc9553ed7f480601bf

SHA512
b271877059c8f945ebcb675f41d1519d846aeee3b0aa8a99077d3f04b714aad007c38f2a9c4dc914bc0d16e6b1691aa61d5c72be5b0614d323ae70c855424759

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
3626f94c4f3e4377e810ecbf90b9639e

SHA1
7d55a7dca4e69ed2d4ac84172608054154e9df11

SHA256
9f19d0ec184dc4cc4f7846391d980af2df7efca6136f90534b79941c7832d01b

SHA512
703e881a9ec619433cb92f1a319be4a4629fb191718ee5c789047918121255911a047e7b7ca53bd15239bb5d538155c326e49b6620a97f6ba9346e75f428eb80

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
afe824f77fe71ccff7261a1150083eae

SHA1
1f1fb43e7844891130743690d062803ff35edbeb

SHA256
429400c6a25585dcb679229cc67c411230313016dfb64b0c375262829f5e5656

SHA512
ca0fdb6215512f44646151bc9567027549114f8a4bc3de06a8846a907db536f3615cfcb2f4ead21957101a0b9f35baf68c436576388de02b2487e42262d3cde4

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
24c4c62b67693e976545664a104a13a2

SHA1
61567823344d801aa1a20abe2290dc746fd6b7ff

SHA256
27e5477ac3099ca1bef2e753579c43a2aecda01deaf3742ce0ddecdf9135731a

SHA512
43458caac63229e844c609f53d21997c0609d4d994adf02bf0b1bd0139012cfb82da7f4d2cf1afa19a6eb9c84a7aa4381708749e98aca5712430a8296ae0c28c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9886b1bf47cb8e47062148c9d7d5f45b

SHA1
dabc00f2143ff589c5e5b48f270bcbf867661673

SHA256
32a4e9acea0fc544e80fc4fb1717c9e7564be8af9e53ce4568a63ae98dbcf168

SHA512
3d72ef437e20298f8633b00ca52efed109e079fd938bf35acae3b9308936a559540dea822be1b530af1f214cfecc74e6c39a1951cf955b3b57a1e1af3565f5a3

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d59ebb934f8bc5a10c86946cf37a7223

SHA1
3afa1aa2ce0489a6d847ef9868eca7686952d7ab

SHA256
815f600fff65f8f15321f3e40f3b86c6d78f2375edfb36ed1e9f3ec07f46d17d

SHA512
67936b739f092fec6401704070a86b01f70e04849b0a87a3d8d5e86a92638001a2eb355545f7b022c82fb70f2c59097e7d4248cf41ebbdde8ae9292233cbcbab

Download Submit
memory/684-895-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/684-429-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/740-273-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/740-131-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/740-913-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/764-379-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/764-259-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1056-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1056-332-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1068-99-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1068-93-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1068-249-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1068-101-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1160-296-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1160-421-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1276-333-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/1276-496-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/1476-985-0x0000000001D90000-0x0000000001E18000-memory.dmp

Filesize
544KB

Download
memory/1476-984-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/1476-83-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1476-989-0x0000000001D90000-0x0000000001DF6000-memory.dmp

Filesize
408KB

Download
memory/1476-988-0x0000000001D90000-0x0000000001DBA000-memory.dmp

Filesize
168KB

Download
memory/1476-77-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1476-987-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/1476-235-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1476-986-0x0000000001D90000-0x0000000001DB4000-memory.dmp

Filesize
144KB

Download
memory/1476-983-0x0000000001D90000-0x0000000001E7C000-memory.dmp

Filesize
944KB

Download
memory/1476-78-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/1476-977-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/1476-978-0x0000000000F60000-0x0000000000F7E000-memory.dmp

Filesize
120KB

Download
memory/1476-982-0x0000000002010000-0x00000000021AE000-memory.dmp

Filesize
1.6MB

Download
memory/1476-981-0x0000000001D90000-0x0000000001E34000-memory.dmp

Filesize
656KB

Download
memory/1476-980-0x0000000001D90000-0x0000000001E1C000-memory.dmp

Filesize
560KB

Download
memory/1476-979-0x0000000000F60000-0x0000000000F7A000-memory.dmp

Filesize
104KB

Download
memory/1532-170-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1532-827-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1532-311-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1536-346-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1536-334-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1552-384-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1552-845-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1560-76-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1560-7-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1560-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1560-8-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1720-118-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1720-260-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1720-110-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1720-111-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1736-869-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1736-398-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2028-408-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2028-275-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2040-130-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2040-22-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2040-14-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2040-13-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2064-397-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2064-261-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2096-192-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2096-197-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2220-412-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2220-343-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2224-200-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-348-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2228-425-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2228-409-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2288-533-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2288-422-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2368-554-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2368-528-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2484-73-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2484-39-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2484-40-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2484-45-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2488-572-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2488-551-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2492-62-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2492-55-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2492-56-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2492-87-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2672-349-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2672-733-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2688-27-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2688-36-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2688-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2688-149-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2696-667-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/2700-816-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2700-371-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2728-237-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2728-322-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2752-749-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2752-294-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2752-137-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2828-428-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2828-308-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2940-150-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2940-299-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2960-246-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2960-350-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2960-247-0x0000000000580000-0x0000000000771000-memory.dmp

Filesize
1.9MB

Download
memory/2960-370-0x0000000000580000-0x0000000000771000-memory.dmp

Filesize
1.9MB

Download