ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7

Analysis

max time kernel
118s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
Size

625KB
MD5

bc755a976f6e87928e2954bf3299d6c0
SHA1

f5b0f6c373195e1412881016481ae77607df5785
SHA256

ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7
SHA512

c79460d0e665d439ddadfab54956c2a24b231e7e561246287ee8e1e1be3860769a9bf96b30c9b23ac536429e8dc7aa352373111b75642c6d45465066fc4180dc
SSDEEP

12288:r2o7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+U:6oCks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
3068	alg.exe
2824	aspnet_state.exe
2828	mscorsvw.exe
2028	mscorsvw.exe
1368	mscorsvw.exe
2248	mscorsvw.exe
1432	ehRecvr.exe
1984	ehsched.exe
1872	elevation_service.exe
764	IEEtwCollector.exe
3020	GROOVE.EXE
892	maintenanceservice.exe
1924	msdtc.exe
1580	dllhost.exe
2816	OSE.EXE
2068	OSPPSVC.EXE
1060	mscorsvw.exe
1628	mscorsvw.exe
1464	mscorsvw.exe
2892	mscorsvw.exe
1956	mscorsvw.exe
2280	mscorsvw.exe
1664	mscorsvw.exe
1516	mscorsvw.exe
1060	mscorsvw.exe
2192	mscorsvw.exe
2604	mscorsvw.exe
1592	mscorsvw.exe
1972	mscorsvw.exe
1608	mscorsvw.exe
2268	mscorsvw.exe
2388	mscorsvw.exe
2860	mscorsvw.exe
1936	mscorsvw.exe
2624	mscorsvw.exe
1532	mscorsvw.exe
2652	mscorsvw.exe
2432	mscorsvw.exe
1356	mscorsvw.exe
1816	mscorsvw.exe
968	mscorsvw.exe
1172	perfhost.exe
1976	locator.exe
468	snmptrap.exe
1592	vds.exe
2340	vssvc.exe
1384	wbengine.exe
1616	WmiApSrv.exe
1960	wmpnetwk.exe
1440	SearchIndexer.exe
2844	mscorsvw.exe
2180	mscorsvw.exe
2948	mscorsvw.exe
1920	mscorsvw.exe
1496	mscorsvw.exe
1236	mscorsvw.exe
2252	mscorsvw.exe
2084	mscorsvw.exe
2460	mscorsvw.exe
1940	mscorsvw.exe
1780	mscorsvw.exe
576	mscorsvw.exe
776	mscorsvw.exe

Loads dropped DLL 49 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
740	Process not Found
1496	mscorsvw.exe
1496	mscorsvw.exe
2252	mscorsvw.exe
2252	mscorsvw.exe
2460	mscorsvw.exe
2460	mscorsvw.exe
1780	mscorsvw.exe
1780	mscorsvw.exe
776	mscorsvw.exe
776	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
1196	mscorsvw.exe
1196	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2900	mscorsvw.exe
2900	mscorsvw.exe
1728	mscorsvw.exe
1728	mscorsvw.exe
552	mscorsvw.exe
552	mscorsvw.exe
544	mscorsvw.exe
544	mscorsvw.exe
1056	mscorsvw.exe
1056	mscorsvw.exe
2900	mscorsvw.exe
2900	mscorsvw.exe
1448	mscorsvw.exe
1448	mscorsvw.exe
1056	mscorsvw.exe
1056	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3571e43c8ab55808.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5889422B-4E7B-4F63-944F-9F172CF77CBB}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5889422B-4E7B-4F63-944F-9F172CF77CBB}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP619.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFAE2.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFFE2.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF4BB.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1C57.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF0F4.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD69.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{443C3D6B-1326-496D-AF45-015CCFEEF7D6}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEE93.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040b4a1441fcada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080b7f3451fcada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0a6d04a1fcada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3056	ehRec.exe
2824	aspnet_state.exe
2824	aspnet_state.exe
2824	aspnet_state.exe
2824	aspnet_state.exe
2824	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2188	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: 33	836	EhTray.exe
Token: SeIncBasePriorityPrivilege	836	EhTray.exe
Token: SeDebugPrivilege	3056	ehRec.exe
Token: 33	836	EhTray.exe
Token: SeIncBasePriorityPrivilege	836	EhTray.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeDebugPrivilege	3068	alg.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2824	aspnet_state.exe
Token: SeBackupPrivilege	2340	vssvc.exe
Token: SeRestorePrivilege	2340	vssvc.exe
Token: SeAuditPrivilege	2340	vssvc.exe
Token: SeBackupPrivilege	1384	wbengine.exe
Token: SeRestorePrivilege	1384	wbengine.exe
Token: SeSecurityPrivilege	1384	wbengine.exe
Token: SeDebugPrivilege	2824	aspnet_state.exe
Token: 33	1960	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1960	wmpnetwk.exe
Token: SeManageVolumePrivilege	1440	SearchIndexer.exe
Token: 33	1440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1440	SearchIndexer.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe
Token: SeShutdownPrivilege	2248	mscorsvw.exe
Token: SeShutdownPrivilege	1368	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
836	EhTray.exe
836	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
836	EhTray.exe
836	EhTray.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe
1952	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1060	1368	mscorsvw.exe	54
PID 1368 wrote to memory of 1060	1368	mscorsvw.exe	54
PID 1368 wrote to memory of 1060	1368	mscorsvw.exe	54
PID 1368 wrote to memory of 1060	1368	mscorsvw.exe	54
PID 1368 wrote to memory of 1628	1368	mscorsvw.exe	47
PID 1368 wrote to memory of 1628	1368	mscorsvw.exe	47
PID 1368 wrote to memory of 1628	1368	mscorsvw.exe	47
PID 1368 wrote to memory of 1628	1368	mscorsvw.exe	47
PID 1368 wrote to memory of 1464	1368	mscorsvw.exe	48
PID 1368 wrote to memory of 1464	1368	mscorsvw.exe	48
PID 1368 wrote to memory of 1464	1368	mscorsvw.exe	48
PID 1368 wrote to memory of 1464	1368	mscorsvw.exe	48
PID 1368 wrote to memory of 2892	1368	mscorsvw.exe	49
PID 1368 wrote to memory of 2892	1368	mscorsvw.exe	49
PID 1368 wrote to memory of 2892	1368	mscorsvw.exe	49
PID 1368 wrote to memory of 2892	1368	mscorsvw.exe	49
PID 1368 wrote to memory of 1956	1368	mscorsvw.exe	50
PID 1368 wrote to memory of 1956	1368	mscorsvw.exe	50
PID 1368 wrote to memory of 1956	1368	mscorsvw.exe	50
PID 1368 wrote to memory of 1956	1368	mscorsvw.exe	50
PID 1368 wrote to memory of 2280	1368	mscorsvw.exe	51
PID 1368 wrote to memory of 2280	1368	mscorsvw.exe	51
PID 1368 wrote to memory of 2280	1368	mscorsvw.exe	51
PID 1368 wrote to memory of 2280	1368	mscorsvw.exe	51
PID 1368 wrote to memory of 1664	1368	mscorsvw.exe	52
PID 1368 wrote to memory of 1664	1368	mscorsvw.exe	52
PID 1368 wrote to memory of 1664	1368	mscorsvw.exe	52
PID 1368 wrote to memory of 1664	1368	mscorsvw.exe	52
PID 1368 wrote to memory of 1516	1368	mscorsvw.exe	53
PID 1368 wrote to memory of 1516	1368	mscorsvw.exe	53
PID 1368 wrote to memory of 1516	1368	mscorsvw.exe	53
PID 1368 wrote to memory of 1516	1368	mscorsvw.exe	53
PID 1368 wrote to memory of 1060	1368	mscorsvw.exe	54
PID 1368 wrote to memory of 1060	1368	mscorsvw.exe	54
PID 1368 wrote to memory of 1060	1368	mscorsvw.exe	54
PID 1368 wrote to memory of 1060	1368	mscorsvw.exe	54
PID 1368 wrote to memory of 2192	1368	mscorsvw.exe	55
PID 1368 wrote to memory of 2192	1368	mscorsvw.exe	55
PID 1368 wrote to memory of 2192	1368	mscorsvw.exe	55
PID 1368 wrote to memory of 2192	1368	mscorsvw.exe	55
PID 1368 wrote to memory of 2604	1368	mscorsvw.exe	56
PID 1368 wrote to memory of 2604	1368	mscorsvw.exe	56
PID 1368 wrote to memory of 2604	1368	mscorsvw.exe	56
PID 1368 wrote to memory of 2604	1368	mscorsvw.exe	56
PID 1368 wrote to memory of 1592	1368	mscorsvw.exe	57
PID 1368 wrote to memory of 1592	1368	mscorsvw.exe	57
PID 1368 wrote to memory of 1592	1368	mscorsvw.exe	57
PID 1368 wrote to memory of 1592	1368	mscorsvw.exe	57
PID 1368 wrote to memory of 1972	1368	mscorsvw.exe	58
PID 1368 wrote to memory of 1972	1368	mscorsvw.exe	58
PID 1368 wrote to memory of 1972	1368	mscorsvw.exe	58
PID 1368 wrote to memory of 1972	1368	mscorsvw.exe	58
PID 1368 wrote to memory of 1608	1368	mscorsvw.exe	59
PID 1368 wrote to memory of 1608	1368	mscorsvw.exe	59
PID 1368 wrote to memory of 1608	1368	mscorsvw.exe	59
PID 1368 wrote to memory of 1608	1368	mscorsvw.exe	59
PID 1368 wrote to memory of 2268	1368	mscorsvw.exe	60
PID 1368 wrote to memory of 2268	1368	mscorsvw.exe	60
PID 1368 wrote to memory of 2268	1368	mscorsvw.exe	60
PID 1368 wrote to memory of 2268	1368	mscorsvw.exe	60
PID 1368 wrote to memory of 2388	1368	mscorsvw.exe	61
PID 1368 wrote to memory of 2388	1368	mscorsvw.exe	61
PID 1368 wrote to memory of 2388	1368	mscorsvw.exe	61
PID 1368 wrote to memory of 2388	1368	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2828

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 1d4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 244 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 278 -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 258 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d8 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 280 -NGENProcess 250 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 27c -NGENProcess 290 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 250 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 298 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 2a0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 290 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 294 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 240 -NGENProcess 28c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e8 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 21c -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 264 -NGENProcess 28c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2b0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1c4 -NGENProcess 21c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 278 -NGENProcess 28c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a4 -NGENProcess 278 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 294 -NGENProcess 2b0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b0 -NGENProcess 290 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2ac -NGENProcess 278 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 278 -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 290 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 290 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 294 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 250 -NGENProcess 2ac -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 294 -NGENProcess 29c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 2b4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b4 -NGENProcess 250 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c0 -NGENProcess 29c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 29c -NGENProcess 28c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c8 -NGENProcess 250 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 250 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2d0 -NGENProcess 28c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 28c -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 21c -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2e8 -NGENProcess 2a0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2a0 -NGENProcess 2c8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 2c8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2c8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 300 -NGENProcess 2fc -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 30c -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f8 -NGENProcess 300 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 300 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 308 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 308 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 308 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 308 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 314 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 308 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 308 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 314 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 314 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 384 -NGENProcess 310 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 37c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 310 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 368 -NGENProcess 398 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3a8 -NGENProcess 310 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 310 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 3b0 -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 398 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b8 -NGENProcess 3a0 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b4 -NGENProcess 398 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c4 -NGENProcess 3a0 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3c0 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 398 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3a0 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 398 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3a0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 398 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3a0 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3c0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 398 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e8 -NGENProcess 3f4 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3e0 -NGENProcess 398 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 398 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3f0 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f4 -NGENProcess 404 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 414 -NGENProcess 3f0 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3f0 -NGENProcess 40c -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 404 -NGENProcess 41c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f0 -NGENProcess 3e0 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 440 -NGENProcess 3f0 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 3f0 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 480 -NGENProcess 470 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 470 -NGENProcess 46c -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 494 -NGENProcess 474 -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 474 -NGENProcess 480 -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 49c -NGENProcess 46c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4a0 -NGENProcess 498 -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 4a4 -NGENProcess 480 -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 480 -NGENProcess 49c -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 4ac -NGENProcess 498 -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  PID:2428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:968

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1432

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:764

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:892

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1580

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2816

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2964
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:1656
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
92c4f8176c994e2bfdabe4dc4d32b7ae

SHA1
02ab24fa532e86343ea9e8116f13b492e110a152

SHA256
0e13fc0870e21dd240ffc3ee25d2ad9b618adafc7c53223019712aa590bbfe96

SHA512
c1059317352e946ab02c24305c091bd44df1cc175d09f18236c2e02ab5716ce582a398fb6a784226b8310c335f22d84c856df5cdffd2068bed25e786b68e62c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
0019c6f21087f307f92d496a358d46be

SHA1
b31049934a62299d098a6ddb364456ade901a5bb

SHA256
da2e881d769feb28f69ac50d8bd0dc1c8fc96d75c8afecc9ef77f1ab80d35653

SHA512
6de794774ec3c4b10a954fb374e002a726a080c9f02283d9ecdcdd443b5666513fe4c31acfd0a88a6c4d9371a6007e1bdfe90f8ebf702a675e3f03b3ec2fe7e7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
e8196b586a53a9a068058da68361b53c

SHA1
bcea15ff3969bb236ebfccbb88df613f938161c7

SHA256
73cd49b72d0d3ca704a7a7ba750d63316250960a8d908b5e0baae10101126ac0

SHA512
d443ad044fe694017250dddae6ea34d10c5c62a5f3478d8a56e139da38381ef1c941174416b1188b22650bc158547ac98f6a269fd02abbed7790f78d0cac4693

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
7f562d154df0d51705d08cbd841fbda0

SHA1
d6b0cfd4fc37f2338c6d1d84e6fa1c728e0a94b0

SHA256
87144b2eae95edfcbff0350bb587f38439e3063eded9f8b42b062d8717368c06

SHA512
934c7f725461750c01f877b3e5bb0c16099225da4837159fb5babbe94834cfd8970461d63b5001b54c95beb6129927bfe7361a17a98495a1cc7c0205b48863aa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f3f601655b47c46cc62f53e7a45ec701

SHA1
f4298ff84437bdadefcf79defa2e23cc33635a8a

SHA256
62fac11b2091eeee8e54f5c20a0967e4a6e9790ec416db7a85ef2df01c8d2247

SHA512
73b4fd75f20c264af235a5b0cc128f47e0b087677b5f0ee0b7ecc4a0a3cf3699a2a5998d52a70b96d4bb36e8b7bd4cf0b1b1912c85c04e59bb8348780af6b0f1

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
79790d75c9874d73086133820c0212ea

SHA1
ed1e22a383a4306f2083605325062c2dee666a32

SHA256
5289a01ff9934700eb4e1f1d2998b4e5b440e151d6538729ff6899de2281d7f2

SHA512
5e04b96ac65660ee80f4ac193a2217371d8cc5a2542366bbc4cf16eaa6aefa662876fd2369d909eb34da036d9c0e029ec993b791d46dded15d580bd383f9f369

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
e27c5c86b3e37173755ea79e6f7fa8ab

SHA1
6cb22c6b1912e8993aba5b6e01f4f6f80ca039bf

SHA256
defb07d0ee99cb4262bca8cb1af44bdffa15f9d8c02f1571a3e2a8082f423fba

SHA512
6800c46b98ac90804fa2cfa34f79becb2212690056f98bb42f3a3f29b8eba80f019fd8f1e15a9543bca75b92a96084b3d78adc1c9539b183501b56c33a4da01f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000

Filesize
240B

MD5
7ca2da6f1e7bca562d7d9376700a912f

SHA1
67feaa004013eee76282e3b3fc196279f2577dcb

SHA256
04fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e

SHA512
4f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
960e94787b1e6f96ef746fdf7fd514a8

SHA1
0c31815924838aba4711204293dd20d57c193b48

SHA256
1b2142f0662995677ee2631dd013cfbdb5f16b920d96ae94392533030b7d04c1

SHA512
ce5cd231eede0dec69c98e5c77589828b951381fcf14d25276b6231d526f5d6dcb64f43bef4f1fde83b52218a06ec89b53c2984beaec3d1b6b96247295246e54

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
c915ae09383dc9f240f6a9ab674337ff

SHA1
ec6580055c6bce49aec03f624249f3bbaae4c0b3

SHA256
620fef6eab22c6efc81d8e0c85a1d14acb5574a13fbe4796ebcd1d3b94fb3f9c

SHA512
eae8154b2b16e2b2317ea7c762a7e949c7f3d5fb5c0be5509e19745e1ae5a11e44f4c0192067408592dc6da83e94253ea9d7cb0940f1d8ee1da468c912cc9878

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
1b07bfd5d4eb2ea1f8f800d5b63473ee

SHA1
d1b9993292f065e9f41e2d73ac90702781a67764

SHA256
fb86cab3e310f245a2fe3a376074eef0fed6e2a9ad973bc12dc20991e43d202c

SHA512
af043b68a2d11b016c4c79f06e486b6f2f6ae90177149a8529f342c7ac00f613cc5e9f8a0a83802836c54fb48726d21558f49ea5f71010e75992740063853a30

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c94ea762ff309f53f0731ca220267ed5

SHA1
7466aa18ce5dde1d92ce0e96f9131cac7c8e12da

SHA256
1b8e32dfa4de4aadd7c36cd3a132712628860ece6a8263492d03d6db95451168

SHA512
56ebcbe420625b5df9dbd78dd2d8487a2880ea3cc95b7feeb9a6ef16586490da854416a76c1e5d33264082f0c0e13bf1466753220f83d4f7b1dba28d1b1d6f38

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
de967cd85949742c537d598340a47429

SHA1
1000ea48698811e35ef2c4585ea46517c7f19934

SHA256
95bc9c4d85879294000ad9057fbef5ce0233fb2ebdffa4c34a7790590af17a18

SHA512
00f3f67892868693068b5dd9a9553d60d0e956bbce493d96305e8c0e130a2f294ed2516ef17d9a678f844860969ac1250fc03c9cf6e882d93915dc72d166244c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
1d9bda570c29f1217acec7e10a6571c4

SHA1
c4bc5794c4b88f9087dce69142d983fdc118342b

SHA256
537e546351f21e613a8cf646f29f2953e1145ee31c8efa0dd7431e856d872c76

SHA512
a532d7c1f79723a1da83a3241daaa829fcfe002aa0ff67ef71885fe41d1fd2d3666a0db3dfc2c0e3c726fb503db8a50b50a75bd9ec35034ed345facc28e55bf0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
c149fb6a10dfd07b688d1ba6dbe91bf8

SHA1
d1d78a608633f4fc2d7f1b7244037a86d24188cf

SHA256
6bdc0c2e810029a1b622b2e4dde94cde7b9026cda9d52167a14daffcba64b2c0

SHA512
f9aaa9829719d6451dd7c5afe792c84ac75aef3fc3bf4f1951b6d523d689e5f1a66ee0b73b2d35ba7c260a5ae56fa6a1e26d9a68fb905b209f6ac6d3ff1f9af2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
823dda2299c516dfd001d6bfc5f99ef5

SHA1
09df5db0c3b2150d8b01c56f9b100a202cfbab1f

SHA256
d56bc74d04b9ad91bd0bb003123e104d756104014f1e6b3ba2bebdb9aaea0cb8

SHA512
5ff569c2f198b7f425ecc299e87a75be83bbd92c76e3994a72a8c500044e258a4ed1d90de9d3d0bcec4777e224126755fd962777974b28efdbdd7d32f5c561e1

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
a8c87807e425234211801b019b44eb26

SHA1
52dd8e006802537c9f66fac1102e3d9c00e08015

SHA256
9fe235381dc4c06755821d62060cac8b5824ad955054108334a0876f6bbaf9e3

SHA512
c8579025b36cee23ef71a335d3cabd4c18a8bb9fac825e37acde9890f41887035337abbc30a85044b17988d2fb5ea22e407b85daee67f8f91349a3a2e831e214

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
f7c5ce5582b63c0afcb5a726a9df939d

SHA1
1d3778c5a5b133d7ebc78626b65d419315eaf83b

SHA256
bc46f427245f2535a1799663e504f10fe51646ebdf8f0a2f5131a78359569d99

SHA512
c449aef3e34928ebf9d9c90df21e9ed4225b9a1d57e384ed0f77cb95da5543b2aab67739e4c8a8a8ad24d60da8f3fd769e893bc05109f4de576eacc388a6eea9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0d395f580cd2f286b1924372dc825243\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
35902f6b5af2b8def6865d63f583eae3

SHA1
805143b51d4edb7afd66ac0bc42dc415ef31bede

SHA256
fc27f26c37a9a541323e0ade99819e5adb8fe0c85a6c7b2ff9cd849cd8ef6af6

SHA512
6b2bb0ab7f579ee79233950230e92bb35ff213740172fde508d55c02d9f4f0cdba1b38cb5426c738d598c6ba56002f82f103aa809924ef2f9b80174b0293cee8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
648KB

MD5
7ebbba07bc6d54efd912bcd78b560b7b

SHA1
a6aee1a80ddcdf201301ac29293c62d58bcc941d

SHA256
637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a

SHA512
2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b4bdb99cd1712b68a4bb994a6cab54fc\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
ac0039a52b64d488c29b9cb0a4e4bfd2

SHA1
a1b61fac367b3a44d0babea8125321db5e85bea5

SHA256
c5fd98365f2090a2d1579f79de0803998d86c0fa599525ac0e5f1a9e5cbd4c18

SHA512
6b6802ec87fe56c2c8be3c8f4d657e2dcd6d3d217874903f035f5e270af719f008f218ea96b88e8185fc494eb825bdcd7d152765d235b2bc0edbb8d596e6974a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d36d5faf337c14ca97417ad2d1b160d9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
93d0775e417ce3677d7f01cee57f5140

SHA1
6c178349e4b6d3026732ed5186a1fe0860bc1e9b

SHA256
aca40c4be1ac4db099f03389d34da9764f226ecbfab53dbf15ca43f04ad93bc5

SHA512
267e573ebb93e1e2f0dae8777525e2975a259cc3f013e3e3815ebeaf688354401fbdc03775b12c0a7348595aa60d3ec3b9147079ebd6f383b832f2f66857e266

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
b4eb0a3f28278fc0a316bd53094cda45

SHA1
c712cab3f4f5deb748e014344510309336d9e351

SHA256
d2e22fa86652338e79158dd6e320b35f2862ad6251331ca8322dfae5f6af199c

SHA512
4ab7520626242e86881a9f5946d56c32463ea2abb5e89b5a9baf5b34d0b525ab943f843b5671383d3077abd5a2e3cc1950dd0ba429adc52c727959d83aae4d3a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
09bcda97de0ad09d587368453dff483b

SHA1
e8458f5422d73c10a1a1bd0e8f44cab4b7eb425d

SHA256
40ee67d49ccee0f9ec44450c7d91c0b9b9b7d6072cf972462280bb9be1621c0d

SHA512
39aeaa9aabf52ca6933d3ce002c32714bdaf4c7991b5ee7f4b998e6e05a285512e8b6cfde36780a68c24950114fc3db9a408e4224a7cc610058eb9bc53b5c557

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
5fda31b72a0d68cb56187e5c214d6bcc

SHA1
c58207661f05f88f07e655f336b2bcbb26e458a6

SHA256
5726d147f715149de8b069684f62b196b5a42eb115d95cb7317c2856036ea004

SHA512
77a0f504b8fa68d7b3620ec96d4e924f86c96a284e92721034ac59b9626d0fd2bc454214574f6cb7a382a8df0e67696b4100b7c89a114b0901a45c547d6b8fc8

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
d4e90145b8dcc3fb9f98752b0f553e98

SHA1
5d29b85f6311f8351533ccec452c326374fb071f

SHA256
efbb481d5d03e1f0b88c5fabeac4c2c0f1f07e986fe1bbddb008454ea9dc884f

SHA512
bb02e6bf09f7c9e2aa40113ff23bf5cdcb59bbfafe2266eaedf536bbb64dc2bc3e08690970e0f9e85dce9e1f4b5856816e9a6ecb8f6f6c6dc5089b78ffbbb528

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
2d8586e2d1977ab49f77f763882c5e46

SHA1
7ea769707bcfa30aea60cb2fb42d54ad3665a1ae

SHA256
98372e0ac53029fbd578c476bdb7e551d42b23c49e2507e16d9d5e02121f7194

SHA512
457804f23e18efc847994f91ee1ce6263b819917f7c114823908955a67b1def9cd10fb7a2d56c6d317644d763dc7118ab515fa736a505fdb4a62f0459d4eed68

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
c14f8f0cd0f24cc8cc9c853e40cafc61

SHA1
f11039556edb7ee2c9eae5c5bea431f15c083c43

SHA256
a6e3fc9004d61bb6d807682f487360f5a56cffcc3992ca391eac585c43d47b03

SHA512
e98d18a1d36a7f19ffc082316517ec253c28ad9f88dd95fa2c50323e1a0f4bf8890f256c3da42dd9e53a371c5cb7fa73b77decceb46f90fd54a5b8b67f85e58d

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
07e7f20a22cb728e1b9e0cb8337de94f

SHA1
a39abef35400dd9ce438b6bd1586c19beaad96a7

SHA256
bbaa7ff0a58b3ee7d5f3f1f0f56d84eec55a47eb09bb5cd5922a82a2fdaaf490

SHA512
cc9ab8efce4a7fa9259b70fefece4ecdb7b612cc23a0b3e3c8daf4ffc5b37f68a0f52cdd6c5c17a4bf6b09fbe7d5ab0d39c21f231041fbf82e77b411b048864e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
1a0d7f7f11b4c6baed52ae02d0983534

SHA1
89ba2d413d115d0cde3e645481d33553151a9ac1

SHA256
3ab310b39c64a894c1680428549a388d080ec7b19aa7864de930e2a51f433cd6

SHA512
cf388555c98c02a5785c32603d03e9c600cb40c2f356f17585a8a25b908160631aead23001906ac6ca015c39010fb241b43cb349584e558b2c9a961f8a62b4aa

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
02d2da006fbb3b03d0a0bbd6c5840cdc

SHA1
d6ebd66b55c5c16eed90e95a79ef8fe8a1975509

SHA256
7ecfd7f0ab6107ae174a2b04105a5b3dd0ae4309216c5ae3f9e0c0827188366d

SHA512
f0c7c397f50f82d7faa25d892ca17e03c060e2e4167694c69f0087c4f67791268b8ef4ee53db9683894a01e343df12d3b5ec7dbfeea9084bea72b1be9f57b340

Download Submit
memory/468-758-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/764-420-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/764-158-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/764-724-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/892-196-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/968-701-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/968-715-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1060-502-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-496-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-329-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-358-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1172-740-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1356-690-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1368-80-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/1368-75-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/1368-74-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1368-240-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1384-794-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1432-119-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1432-356-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1432-729-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1432-113-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1432-112-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1440-818-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1464-398-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1464-371-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1516-473-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1516-486-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1532-662-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1580-214-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1592-564-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1592-768-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1592-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1608-588-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1608-566-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1616-804-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1628-357-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1628-362-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1664-458-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1664-476-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1816-712-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1872-397-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1872-147-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1924-430-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1924-193-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1936-639-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1936-623-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1956-440-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1956-421-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1960-816-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1972-576-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1972-562-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1976-746-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1984-370-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1984-721-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1984-124-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2028-64-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2028-56-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2028-88-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2028-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2068-511-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2068-241-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2188-6-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2188-8-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2188-1-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2188-200-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2188-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2188-73-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2192-532-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2192-513-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2248-95-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2248-96-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2248-102-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2248-327-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2268-601-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2268-589-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/2268-585-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2280-436-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2280-459-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2340-778-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2388-597-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2388-607-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2432-685-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2604-523-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2604-550-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2624-637-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2624-643-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2652-653-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2652-666-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2816-227-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2816-493-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2824-28-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2824-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2824-138-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2824-35-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2828-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2828-84-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2828-45-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/2828-40-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/2860-615-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-627-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2892-404-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2892-399-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3020-419-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3020-184-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3068-111-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3068-21-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/3068-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3068-20-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/3068-14-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download